I built a mix of the blink and morse turorials, which was fun, but…
I recognised that in the resulting web page all of the server side python code is visible in the HTML source
Code Sample:
def button_blink_click(self, **event_args):
"""This method is called when the button is clicked"""
anvil.server.call('pico_fn', 5)
Inspection of the source code in the browser’s console reveals
[…] def button_blink_click(self, **event_args):\n """This method is called when the button is clicked"""\n anvil.server.call(‘pico_fn’, 5) […]
This is not what I expected.
I’d rather have my source code hidden, because I do not want others to anticipate what should be “worked on”, especially giving away answers to puzzles, riddles, questions etc.
I reckon this COULD be hidden in database entries, but nonetheless can be written in python code plain and easy.
I do not regard it absolutely neccessary to let web site visitors examine server side python code.
Maybe I got this wrong, but the example states that the function button_blink_click() is server side.
The actual code that blinks my Pi Pico W resides on my Pico and truly is not visible - at least not as long as I don’t connect the Pico to my computer and open boot.py and main.py (where one COULD extract the WLAN password AND the server uplink key, which would be worse, to say the least.
Maybe a little bit of “encryption by obfuscation” would do the trick, even if that would not really be encrypted at all. Just enough to keep the nosy people out.
This is how Skulpt (the Python → Javascript transpiler) works. It runs in each user’s browser, not Anvil’s servers, converting the client_code/*.py files into equivalent (browser-specific?) Javascript code, for the browser to execute.
This can work only if those particular files are transmitted to the browser, for translation.
The event-handler you describe (button_blink_click) is handling a browser-side event, so it has to be running in the browser. The comment is likely referring to function pico_fn, which resides outside the browser. Its code is not transmitted to the browser, so users can’t see how it is implemented, much less hack it up.
Edit: That said, some compaction/obfuscation would likely be welcome to many Anvil app developers.
OK, I understand. The function residing on the server (aka. my Pi Pico W) is called by the client (aka. the browser) via anvil.server.call() which is rather self explanatory. So I wrongly got the “client/server” approach reversed.
I will try and put all the “to be hidden” code on my Pi Pico then. This leaves the problem of somebody connecting the Pico to their computer and retrieving some secrets to be solved.
And yes: obfuscation would be very much appreciated.
What you’re seeing is client-side code, which has to be visible for the browser to run it. Server-side code (like in your anvil.server.call) stays hidden, so sensitive stuff is safe there.
Thanks delacruzcortez0902,
as I am just at the beginning of a probably steep learning curve, I am sure I will have to get along with the limitations of MicroPython on my Pi Pico(s) and dive into Server Modules to cope with that very quickly.