Compiled code shows secrets in the clear

[dinogregorich]

Is there a way to encode all the JavaScript files prior to or during deno compile? I did not see an option.

Background:
In the Javascript code, I include some secrets (like API KEYs) in the clear, with hope that the codes would be hidden in the exe file. However, after compiling for Windows, when looking at the executable with a text editor, towards the end, the javascript is in the clear and is visible, as well as my secrets.

[hironichu]

That is because deno compile just puts your code under the Deno binary (simplified but it's how it works)
basically, this was already discussed on the official Discord, and on github, i believe there is no official strategy on making the code "hidden" when using deno compile.

However, depending on what you are building of course, you should use a .env file instead of putting your secrets inside your javascript code.

As a side note, there is this repo that has not been updated but had the purpose of obfuscating the code directly inside deno, (that requires re-compiling deno)

https://github.com/littledivy/deno_compile

There isn't any other way (yet?)

[littledivy]

FYI https://github.com/littledivy/deno_compile does not obfuscate the code. It's not hidden either, the source is stored in the .text section on the binary.

[hironichu]

Ahh yeah I thought after the discussion on Discord, that you used https://github.com/CasualX/obfstr
however i noticed after that it wasn't the case ^^, thanks for letting me know.

[wblondel]

TLDR: Never put secrets in your code, this is a very bad practice. You should never version-control them either.

First, let me say that an executable file might look like gibberish when opened in a text editor, but it is actually a structured file.

Deno compile does for Deno what nexe or pkg do for Node: create a standalone, self-contained binary from your JavaScript or TypeScript source code, which means that your code is bundled as-is.

You could use obfuscation techniques to "hide" your code and secrets, but that just means it will be more difficult to see them, it won't be impossible. So you should not rely on that.

A great solution though would be to just NOT ship any kind of credentials with your code. Load them from a file, environment variables, etc. And never commit the file or else it will show in your repository history (even if you delete it afterwards).

[dinogregorich]

Thank you all for your quick responses. FYI, normally, I never put secrets in code, I use the .env files. The reason I was investigating the Deno Compiler is for those small 'scripts' that I wanted to encode and pass to others within our organization, like our network ops guy so I could write some canned service code and just provide him the exe. As a test of the compiler, I put secrets that are normally in the .env file in the code to see if they were visible, and I found that they were. So based on the responses, hiding values in the compiled code is not an option. I will have to find my own way to obfuscate my secrets. So maybe my original post should have been 'encrypt javascript code compile option' in the 'Ideas' section?

[wblondel]

If you or Deno encrypts the code, the code still has to be decrypted before running it, with a password for exemple. And you will have to give the password to your users. So at the end it doesn't make any difference because the code will be decrypted either in memory or on disk.

I don't know why you need to give your secrets, is it to communicate with an API? This is not related to Deno in any way but you should create credentials for each of your users instead of giving your credentials to everyone, and make your users enter the creds in a config file.

[dinogregorich]

Yes, the secrets are APIKEYs for use with some of the APIs in the script. I just wanted to keep it simple. But security always prevents that doesn't it? I think I need to stay with the .env method, provide the exe to the ops guy, add his account to the API so he can use his own APIKEY and then he can add it to the .env file that he will use with the exe.

[wblondel]

Yes, this is how it should be done IMO 😁

And if these credentials get leaked or whatever, you can disable this one specifically and only this user will be impacted.

[dinogregorich]

You are right, and all great points. Thank you for the dialog this morning. It helps sometimes to get feedback and sanity checks from others outside our own organizations. Have a great day!!!