I’ve been a casual on/off RB/RS/Xojo user over the years, but haven’t really used it in anger since (checks licenses) 2006! I bought a Web license recently as being a backend developer with antiquated front end skills, this seemed the easiest way for me to get something up and running quickly without having to get a JS dev involved at this stage.
My background is database design/build and server code, mostly in Python these days, although I’ve gone through a plethora of other languages in my career (started on AS/400 midrange mainframes).
My question is this - when building a Xojo app (Web or otherwise), what is the best practice for storing database credentials, and indeed any other credentials such as 3rd party API keys?
Obviously I do not want to store them in the code itself as that would be a security risk the moment it was pushed up to my git repo.
In Django/FastAPI/Masonite etc in the Python world (and other languages) I’ve normally used an ini file in a safe folder or env vars, or Secrets Manager on AWS. What is the Xojo way? I scanned the docs but could not find a reference to this although I may well have missed it. If it’s there, I’d appreciate a pointer to the right page.
There is not really a “Xojo way”. You should be able to do the same thing with Xojo as with Python. You can read ini files with Xojo or use environment variables. I’ve never worked with the Secrets Manager in AWS but since it seems to be a RESTful api, you should be able to use it with Xojo too.
and how about store a readable secret to decrypt the config. (as example in windows registry)
someone need at least know the algorithms and context or its useless.
Just a simple layer to avoid secrets exposed IN (and with) the source code. You can set secrets in a local .env file, for example, that exposes those values to your program as environment values, and you add the .env to your .gitignore list to avoid such secrets being uploaded (committed) to the shared remote repo. Your code is harmless there. Your secrets are isolated with you, local.
There seem to be 2 different questions being answered here.
Where do I store sensitive credentials? In environment variables.
How do I keep them out of my repo? Use an .env file that you put in your .ignore file. Note that this is on your dev machine. Use another mechanism to put them in production.
As far as I know Mac OS Gui-Apps (such as Xojo) can’t read environment variables in modern versions of Mac OS. At least I tried and failed and that’s what the LLM I trust (Claude AI) told me. It does work when you start Xojo from the terminal btw. Anyway, I switched to using the keychain for this purpose for my debugbuilds on Mac OS 15.5. This appears to work just fine.
In the terminal:
security add-generic-password -a “myApp” -s “App_PWD” -w “mySecretPassword” to write and in Xojo
Var s As New Shell
s.Execute(“security find-generic-password -a ‘MyApp’ -s ‘App_PWD’ -w”)
result = s.Result.Trim
That’s good to hear. I intend to buy a Lifeboat license if I decide to proceed with Xojo Web after getting more experience of it. From all the tings I’ve read about it, seems a really great tool.
