0

I've seen some examples that use tronweb in a web application. I would think that seems unsecure. Even the documentation says not to use it in a public/user facing application. Is there a way to use tronweb in a browser (ie, javascript code base)?

Edit:

This is where it says not to use it in public apps: https://developers.tron.network/docs/tool-methods#section-set-private-key

enter image description here

Victor P
  • 1,496
  • 17
  • 29
  • Are you talking about https://github.com/tronprotocol/tron-web? As the name suggests, isn't the primary use case web apps? Where do you see documentation that "says not to use it in a public/user facing application"? What would be insecure about such use? – user94559 May 02 '19 at 04:29
  • @smarx I updated the question with a link and screen shot. – Victor P May 02 '19 at 12:12
  • "This" in the highlighted sentence refers to the `setPrivateKey` function. – user94559 May 02 '19 at 12:29
  • Not sure how that's any different than providing it to the constructor. How do you secure your privateKey if it's client-side? – Victor P May 02 '19 at 13:51
  • 1
    I'm not very familiar with TRON, but I think TronLink is the missing piece you're looking for. It looks like the TRON equivalent of MetaMask, which holds a user's private key and signs transactions only after user confirmation. This protects the user from having to reveal their private key to the DApp. – user94559 May 02 '19 at 14:12
  • Yes, your're right. The recommended way is to use TronLink. Also, even if you didn't use TronLink, entering your private key in a dApp is still only scoped to you browser because tronweb would not expose it over the wire. It seems I was misunderstanding how the private key got in the tronweb instance. – Victor P May 02 '19 at 17:54

0 Answers0