Serverless: How to Publish Your App and Not Your Source Code
Serverless platforms are great. Some of them allow you to publish apps without having to pay a dime. The caveat is that your source code must be public as well. That’s perfectly fine for small experiments and open source projects, but what if you want to keep your code to yourself? Well, with the power of two-way encryption, private environment variables, and an eval() function, it is possible to keep your apps public and your code private. Continue reading below to find out how.
For this demonstration, we’re going to look at the “Obfuscated Source Code Experiment.” I’ve set it up on RunKit, which is a Serverless platform for Node.js. You can see the final version of the app by navigating over to the published endpoint at https://obfuscated-source-code-experiment-4rfhxf9cxpqi.runkit.sh. But, when you look at the source code, this is all you see:
In the meantime, the actual source code for the application can be safely stored locally or in a private repository. Though you wouldn’t normally see it, here’s what it looks like for the app above:
And here is the boilerplate code to encrypt the secretFunction into a string and to print it in the console:
All of this is enabled by the magic of environment variables. They are an integral part of the Serverless paradigm, allowing the developers to keep their secret values private. They’re generally used for things like authentication tokens, access keys, and configuration variables. You can learn a lot more about them by reading the third rule of the Twelve-Factor App guide.
Disclaimer: I am not a security expert. Do your own research to find a secure package that offers two-way encryption that suits your needs. I only picked simple-crypto-js because it worked well enough for this proof-of-concept.
