Component's Hidden value field variables - Access variables from chrome dev tools/debugger

rkr · October 19, 2021, 3:22pm

Hi

I am using a component (e.g. component1) which uses a variable's (e.g. var1) value (e.g. true/false) in its Hidden value field. This is to show or hide the component.

Just wanted to check if its possible to access this variable (var1) through chrome dev tools/debugger tools etc (or any other browser tools) on client side and change its content (true/false).

Have read on few forums that a running script's variable can be accessed and changed, by using some tools etc. in the browser. Just wanted to make this sure regarding retool apps, that there's way/(no way) to do such things.

Request to please advise.

thanks and regards,

Tess · October 20, 2021, 6:26pm

Hi @rkr Thanks for reaching out! Hmm, we may need more information about your specific use case, but in general, if the component is populated from a JS query, it would be very tricky, but may be possible that a user could modify the JS query to change the value. If the component is populated by a non-JS resource, that is a bit more secure in that the user wouldn't be able to modify the query

If there is a concern of internal users making these sorts of changes, or if this is a public app, it might be more secure to split into two different apps.

rkr · October 22, 2021, 9:20am

Hi,

Thanks for the revert.
As you described, storing/managing variables through JS query scripts might not be right way.

Also, there are JS expressions written in other places in an app. Can they be accessed by users?:

JS expressions in :

Transformers
Component's properties ('text1.value')
API resource query fields like 'Headers: {{..}}'

Request your inputs please.

thanks and regards,

rkr · October 25, 2021, 8:53am

Hi,
Really sorry for not mentioning the use case. Just want to find out the minimum use case scenario which is completely secure, both in private and public apps.

As JS queries are not very secure, should all the values be hardcoded or JS expressions can be used?

Request your advise please.

thanks and regards,
ravi rathore

Tess · October 27, 2021, 6:15pm

Hi @rkr Thanks for this context

Since Javascript is run in the front end, there is the possibility that it could be tampered with by a malicious user. To clarify, it's not necessarily a Retool limitation, but since Retool is run in the browser, this exposes some risk of malicious users accessing JS in your app.

As far as hardcoded values, it's hard to say, since you lose a good amount of functionality from not having dynamic values.

In general, public apps allow for unauthenticated, open access to the embedded app. If you need to give users access to confidential information or dangerous functionality, we recommend that you don't use a public app and instead require users to log in to Retool

rkr · November 4, 2021, 9:54am

Hi,
Thanks a lot for the help. Completely understood. I think, Retool is just great. And, thanks for building such a great platform.

Regards,
ravi rathore