Yet another question about hiding client python source code

mapgar · February 25, 2023, 12:17am

What I’m trying to do:
Hide the client-side python source of the main application before the user logs in.

To simplify: I want a Login form, and a Working form
The Login form just handles login. If you do a view source on it, you see it makes a server call to whatever it uses in the server module to log in or maybe just something like:

anvil.users.login_with_form()
open_form('WorkingForm')

It would not load the WorkingForm python code to the browser until after login

I’m not as concerned with being able to view the entire client-side source code from people who have logged in, but I AM concerned with unknown people being able to read the entire client-side source code without logging in first. It just surfaces too much information.

What I’ve tried and what’s not working:
I’ve tried using a module as the startup
I’ve tried putting the WorkingForm in a package

Things I have not tried yet:
Have a login application and then pass control onto the main app

Related discussions I found in the forums:

mapgar · February 25, 2023, 1:07am

An interesting thing I ran across while looking into passing control:

I was able to create an app that used the users table from another app, but logging into one did not seem to have me logged into the other one.

This suggests that there is a way to do single sign on

But I’m not sure anvil will actually let me do this without re-authenticating in the second app

Continuing to look, but I wanted this here in case it could help others, or help people understand what I want to do

jshaffstall · February 25, 2023, 1:55am

Did you check the box to share login status between the apps? You have to do that in the Users service in all the apps that will share the login status.

mapgar · February 25, 2023, 2:09am

Is that available in the normal IDE? Or just “Classic”?

This is what I’m seeing:

I can’t seem to figure out how to switch to classic.
edit: I did figure out how to switch to classic, but I still did not see that option.

I do see the option in the anvil.yaml file. I’ll try editing it there

jshaffstall · February 25, 2023, 2:43am

Huh…I see different options in an older app, but in a newly created app I see the same options you’re seeing. Not sure what’s going on with newer apps, or the shared login feature.

mapgar · February 25, 2023, 2:56am

Yeah, I see it in an older app too.
I edited the anvil.yaml directly for both apps to add the:
share_login_status: true

But it does not seem to make a difference.

stefano.menci · February 25, 2023, 6:15am

The whole app is loaded to the client when it starts.

You could create two apps that share the users table and the login. One app manages the login and redirects to the second app after the login. The second app redirects to the first after the logout.

The problem with this is that the first app doesn’t expose the code of the second app, but exposes its url, and anyone can go to the second url and load the code. The second app will only render a form that says “please login”, or it will immediately redirect to the first app, but the client side code will be visible.

meelvoorfer · February 25, 2023, 12:26pm

couldn’t you store the ‘secret’ url server side, and then after the user has logged in, do an anvil.js.window.location.assign(‘secret url’) ?