🚨WARNING: YOUR SECRETS ARE NOT SECURE🚨
If you are using one of the following packages, your secrets are NOT secure:
secure_dotenv
Introducing secure_dotenv
for Flutter and Dart: Enhancing Security for Your Secrets ✨🔒
secure_dotenv
takes the security of your sensitive data in dotenv files to the next level. Unlike other dotenv packages that may leave your secrets vulnerable, secure_dotenv
prioritizes reliability and protection. Through advanced encryption, robust key management, and efficient secret decryption, secure_dotenv
ensures your secrets remain confidential and inaccessible to unauthorized users. Experience enhanced security and peace of mind with secure_dotenv
for your Flutter and Dart projects. 🛡️💼
Upgrade to secure_dotenv
today and bid farewell to insecure and flawed dotenv packages. Our carefully crafted solution addresses vulnerabilitiesd. With secure_dotenv
, your sensitive data remains under tight control, shielded from potential leaks and prying eyes. Embrace the gold standard of dotenv security by choosing secure_dotenv
for your Flutter and Dart development. 🚀✨
Platform Support
Android | iOS | MacOS | Web | Linux | Windows |
---|---|---|---|---|---|
✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Installing
To use the secure_dotenv
package, you need to add it as a dependency in your Dart project's pubspec.yaml
file along with the build_runner
and secure_dotenv_generator
packages as dev dependencies:
dependencies:
secure_dotenv: ^0.1.0
dev_dependencies:
build_runner: ^2.4.5
secure_dotenv_generator: ^0.1.0
Then, run the following command to fetch the packages:
$ dart pub get
Usage
To generate Dart classes from a .env
file using the secure_dotenv
package, follow the steps below:
- Create a Dart file in your project and import the necessary dependencies:
import 'package:secure_dotenv/secure_dotenv.dart';
import 'enum.dart' as e;
- Define the environment class and annotate it with
@DotEnvGen
:
@DotEnvGen(
filename: '.env',
encryptionType: AESMode.cbc,
fieldRename: FieldRename.screamingSnake,
)
abstract class Env {
const factory Env(String encryptionKey) = _$Env;
const Env._();
// Declare your environment variables as abstract getters
String get name;
@FieldKey(defaultValue: 1)
int get version;
e.Test? get test;
@FieldKey(name: 'TEST_2', defaultValue: e.Test.b)
e.Test get test2;
String get blah => '2';
}
- Generate the Dart classes by running the following command in your project's root directory:
NOTE: Encryption keys must be 128, 192, or 256 bits long. If you want to encrypt sensitive values, you can run the following command:
$ dart run build_runner build --define secure_dotenv_generator:secure_dotenv=ENCRYPTION_KEY=encryption_key --define secure_dotenv_generator:secure_dotenv=IV=your_iv
where encryption_key
is the encryption key you want to use to encrypt sensitive values and your_iv
is the initialization vector.
You can also ask secure_dotenv to generate these automatically and output them into a file:
$ dart run build_runner build --define secure_dotenv_generator:secure_dotenv=OUTPUT_FILE=encryption_key.json
If you don't want to encrypt sensitive values, you can run the following command instead:
$ dart run build_runner build
This command will generate the required Dart classes based on the .env
file and the annotations in your code.
- Use the generated class in your code:
void main() {
final env = Env('encryption_key'); // Provide the encryption key
print(env.name); // Access environment variables
print(env.version);
print(env.test);
print(env.test2);
print(env.blah);
}
Annotations
DotEnvGen
The @DotEnvGen
annotation configures the behavior of the code generation process. It has the following parameters:
filename
(optional): Specifies the name of the.env
file. Default value is.env
.encryptionType
(optional): Specifies the encryption type to use for encrypting sensitive values. Default value isAESMode.cbc
.fieldRename
(optional): Specifies the automatic field renaming behavior. Default value isFieldRename.screamingSnake
.
FieldKey
The @FieldKey
annotation is used to specify additional information for individual environment variables. It has the following parameters:
name
(optional): Specifies the key name for the environment variable. If not provided, the default key name is derived from the field name based on thefieldRename
behavior; see FieldRename Enum for more information.defaultValue
(optional): Specifies a default value for the environment variable if it is not found in the.env
file.
FieldRename Enum
The FieldRename
enum defines the automatic field renaming behavior. It has the following values:
none
: Uses the field name without changes.kebab
: Encodes a field namedkebabCase
with a keykebab-case
.snake
: Encodes a field namedsnakeCase
with a keysnake_case
.pascal
: Encodes a field namedpascalCase
with a keyPascalCase
.screamingSnake
: Encodes a field namedscreamingSnakeCase
with a keySCREAMING_SNAKE_CASE
.
Generated Code
The secure_dotenv
package generates the required code based on your annotations and the provided .env
file. Below is an example of the generated code:
// GENERATED CODE - DO NOT MODIFY BY HAND
// ignore_for_file: type=lint
part of 'example.dart';
// **************************************************************************
// SecureDotEnvAnnotationGenerator
// **************************************************************************
class _$Env extends Env {
const _$Env(this._encryptionKey) : super._();
final String _encryptionKey;
static const String _encryptedValues =
'2M+2zini7cxKJjb+KJ6N9s0iiLvCx3D2RRq2ZRC1nb3n+7TcfXsG0AAFKVzpVzKtAJa45Mwgcsb2gZqwd5GLklyKLz3Cljh/idTGnbSPyOFhcu8LiJVqTVwbVRWXbifuBLxtiRRZyD9F8aMS69R0OvWIr1Ja9ofPXpEKGPs+RTRLm6qjsL2T1U6Brbj2vxF/RPNa9mfblOF0BuZlTwKURiFCYOEauL42x4VXECyQ7AU=';
@override
String get name => _get('name');
@override
int get version => _get('version');
@override
e.Test? get test => _get(
'test',
fromString: e.Test.values.byName,
);
@override
e.Test get test2 => _get(
'TEST_2',
fromString: e.Test.values.byName,
);
@override
String get blah => _get('blah');
// Code for decrypting the values and retrieving the environment variables
T _get<T>(
String key, {
T Function(String)? fromString,
}) {
...
}
}
Enum Support
The secure_dotenv
package also supports decoding enum values from the encrypted .env
file. Here is an example of an enum and how it can be decoded:
enum Test {
a,
b,
}
Make sure to import the enum file in your code:
import 'enum.dart' as e;
Then, you can define a getter in your environment class as follows:
e.Test get test2;
This setup will ensure that the encrypted value is correctly decrypted and converted to the enum type.
Limitations
- The
secure_dotenv
package relies on thebuild_runner
tool to generate the required code. Therefore, you need to rundart run build_runner build
whenever changes are made to the environment class or the.env
file. - It is important to keep the encryption key secure and never commit it to version control or expose it in any way.
- The package currently supports encryption using the Advanced Encryption Standard (AES) algorithm in Cipher Block Chaining (CBC) mode. Other encryption algorithms and modes may be supported in the future.
Conclusion
The secure_dotenv
package simplifies the process of generating Dart classes from a .env
file while encrypting sensitive values. By using this package, you can ensure that your environment variables are securely stored and accessed in your Dart application.
Rotate your secrets - make sure the old ones are not valid anymore. If you have any questions or feedback, please feel free to open an issue.
Developed at Sports Visio, Inc
Maintainers