Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
react-native-config
Advanced tools
The react-native-config package allows you to manage and use environment variables in your React Native application. It helps you to keep sensitive information like API keys, server URLs, and other configuration settings out of your codebase, making your app more secure and easier to manage.
Loading Environment Variables
This feature allows you to load environment variables from a .env file into your React Native application. You can access these variables using the Config object.
import Config from 'react-native-config';
const apiUrl = Config.API_URL;
console.log('API URL:', apiUrl);
Different Environments
You can define different environment variables for different environments (e.g., development, production) and use them to conditionally execute code based on the current environment.
import Config from 'react-native-config';
const environment = Config.ENV;
if (environment === 'production') {
// Production-specific code
} else {
// Development-specific code
}
Using Environment Variables in Native Code
// Android (build.gradle)
apply from: project(':react-native-config').projectDir.getPath() + "/dotenv.gradle"
// iOS (AppDelegate.m)
#import "ReactNativeConfig.h"
NSString *apiUrl = [ReactNativeConfig envFor:@
Module to expose config variables to your javascript code in React Native, supporting both iOS and Android.
Bring some 12 factor love to your mobile apps!
Create a new file .env
in the root of your React Native app:
API_URL=https://myapi.com
GOOGLE_MAPS_API_KEY=abcdefgh
Then access variables defined there from your app:
import Config from "react-native-config";
Config.API_URL; // 'https://myapi.com'
Config.GOOGLE_MAPS_API_KEY; // 'abcdefgh'
Keep in mind this module doesn't obfuscate or encrypt secrets for packaging, so do not store sensitive keys in .env
. It's basically impossible to prevent users from reverse engineering mobile app secrets, so design your app (and APIs) with that in mind.
Install the package:
$ yarn add react-native-config
Link the library:
$ react-native link react-native-config
if cocoapods are used in the project then pod has to be installed as well:
(cd ios; pod install)
You'll also need to manually apply a plugin to your app, from android/app/build.gradle
:
// 2nd line, add a new apply:
apply from: project(':react-native-config').projectDir.getPath() + "/dotenv.gradle"
In android/app/build.gradle
, if you use applicationIdSuffix
or applicationId
that is different from the package name indicated in AndroidManifest.xml
in <manifest package="...">
tag, for example, to support different build variants:
Add this in android/app/build.gradle
defaultConfig {
...
resValue "string", "build_config_package", "YOUR_PACKAGE_NAME_IN_ANDROIDMANIFEST.XML"
}
Config variables set in .env
are available to your Java classes via BuildConfig
:
public HttpURLConnection getApiClient() {
URL url = new URL(BuildConfig.API_URL);
// ...
}
You can also read them from your Gradle configuration:
defaultConfig {
applicationId project.env.get("APP_ID")
}
And use them to configure libraries in AndroidManifest.xml
and others:
<meta-data
android:name="com.google.android.geo.API_KEY"
android:value="@string/GOOGLE_MAPS_API_KEY" />
All variables are strings, so you may need to cast them. For instance, in Gradle:
versionCode project.env.get("VERSION_CODE").toInteger()
Once again, remember variables stored in .env
are published with your code, so DO NOT put anything sensitive there like your app signingConfigs
.
Read variables declared in .env
from your Obj-C classes like:
// import header
#import "ReactNativeConfig.h"
// then read individual keys like:
NSString *apiUrl = [ReactNativeConfig envFor:@"API_URL"];
// or just fetch the whole config
NSDictionary *config = [ReactNativeConfig env];
With one extra step environment values can be exposed to "Info.plist" and Build settings in the native project.
ios
folder as "Config.xcconfig" with the following content:#include? "tmp.xcconfig"
# react-native-config codegen
ios/tmp.xcconfig
"${SRCROOT}/../node_modules/react-native-config/ios/ReactNativeConfig/BuildXCConfig.rb" "${SRCROOT}/.." "${SRCROOT}/tmp.xcconfig"
Save config for different environments in different files: .env.staging
, .env.production
, etc.
By default react-native-config will read from .env
, but you can change it when building or releasing your app.
The simplest approach is to tell it what file to read with an environment variable, like:
$ ENVFILE=.env.staging react-native run-ios # bash
$ SET ENVFILE=.env.staging && react-native run-ios # windows
$ env:ENVFILE=".env.staging"; react-native run-ios # powershell
This also works for run-android
. Alternatively, there are platform-specific options below.
The same environment variable can be used to assemble releases with a different config:
$ cd android && ENVFILE=.env.staging ./gradlew assembleRelease
Alternatively, you can define a map in build.gradle
associating builds with env files. Do it before the apply from
call, and use build cases in lowercase, like:
project.ext.envConfigFiles = [
debug: ".env.development",
release: ".env.production",
anothercustombuild: ".env",
]
apply from: project(':react-native-config').projectDir.getPath() + "/dotenv.gradle"
The basic idea in iOS is to have one scheme per environment file, so you can easily alternate between them.
Start by creating a new scheme:
Then edit the newly created scheme to make it use a different env file. From the same "manage scheme" window:
echo ".env.staging" > /tmp/envfile # replace .env.staging for your file
This is still a bit experimental and dirty – let us know if you have a better idea on how to make iOS use different configurations opening a pull request or issue!
When Proguard is enabled (which it is by default for Android release builds), it can rename the BuildConfig
Java class in the minification process and prevent React Native Config from referencing it. To avoid this, add an exception to android/app/proguard-rules.pro
:
-keep class com.mypackage.BuildConfig { *; }
mypackage
should match the package
value in your app/src/main/AndroidManifest.xml
file.
For mocking the Config.FOO_BAR
usage, create a mock at __mocks__/react-native-config.js
:
// __mocks__/react-native-config.js
export default {
FOO_BAR: 'baz',
};
Created by Pedro Belo at Lugg.
FAQs
Expose config variables to React Native apps
The npm package react-native-config receives a total of 209,561 weekly downloads. As such, react-native-config popularity was classified as popular.
We found that react-native-config demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.