flutter_secure_dotenv

Introducing flutter_secure_dotenv for Flutter and Dart: Enhancing Security for Your Secrets ✨🔒

flutter_secure_dotenv takes the security of your sensitive data in dotenv files to the next level. Unlike other dotenv packages that may leave your secrets vulnerable, flutter_secure_dotenv prioritizes reliability and protection. Through advanced encryption, robust key management, and efficient secret decryption, flutter_secure_dotenv ensures your secrets remain confidential and inaccessible to unauthorized users. Experience enhanced security and peace of mind with flutter_secure_dotenv for your Flutter and Dart projects. 🛡️💼

This package continues the discontinued secure_dotenv package, providing the same level of security and more.

Upgrade to flutter_secure_dotenv today and bid farewell to insecure and flawed dotenv packages. Our carefully crafted solution addresses vulnerabilities. With flutter_secure_dotenv, your sensitive data remains under tight control, shielded from potential leaks and prying eyes. Embrace the gold standard of dotenv security by choosing flutter_secure_dotenv for your Flutter and Dart development. 🚀✨

Platform Support

Android	iOS	MacOS	Web	Linux	Windows
✅	✅	✅	✅	✅	✅

Installing

To use the flutter_secure_dotenv package, you need to add it as a dependency in your Dart project's pubspec.yaml file along with the build_runner and flutter_secure_dotenv_generator packages as dev dependencies:

dependencies:
  flutter_secure_dotenv: ^1.0.1

dev_dependencies:
  build_runner: ^2.4.14
  flutter_secure_dotenv_generator: ^1.0.3

Then, run the following command to fetch the packages:

$ dart pub get

Usage

To generate Dart classes from a .env file using the flutter_secure_dotenv package, follow the steps below:

1. Create a Dart file in your project and import the necessary dependencies:

import 'package:flutter_secure_dotenv/flutter_secure_dotenv.dart';
import 'enum.dart' as e;

part 'example.g.dart';

2. Define the environment class and annotate it with @DotEnvGen:

@DotEnvGen(
  filename: '.env',
  fieldRename: FieldRename.screamingSnake,
)
abstract class Env {
  const factory Env(String encryptionKey) = _$Env;

  const Env._();

  // Declare your environment variables as abstract getters
  String get name;

  @FieldKey(defaultValue: 1)
  int get version;

  e.Test? get test;

  @FieldKey(name: 'TEST_2', defaultValue: e.Test.b)
  e.Test get test2;

  String get blah => '2';
}

3. Generate the Dart classes by running the following command in your project's root directory:

NOTE: Encryption keys must be 128, 192, or 256 bits long. If you want to encrypt sensitive values, you can run the following command:

$ dart run build_runner build --define flutter_secure_dotenv_generator:flutter_secure_dotenv=ENCRYPTION_KEY=Your_Encryption_Key --define flutter_secure_dotenv_generator:flutter_secure_dotenv=IV=Your_IV_Key --define flutter_secure_dotenv_generator:flutter_secure_dotenv=OUTPUT_FILE=encryption_key.json

where encryption_key is the encryption key you want to use to encrypt sensitive values and your_iv is the initialization vector.

You can also ask flutter_secure_dotenv to generate these automatically and output them into a file:

$ dart run build_runner build --define flutter_secure_dotenv_generator:flutter_secure_dotenv=OUTPUT_FILE=encryption_key.json

If you don't want to encrypt sensitive values, you can run the following command instead:

$ dart run build_runner build

This command will generate the required Dart classes based on the .env file and the annotations in your code.

4. Use the generated class in your code:

void main() {
  final env = Env('encryption_key'); // Provide the encryption key
  print(env.name); // Access environment variables
  print(env.version);
  print(env.test);
  print(env.test2);
  print(env.blah);
}

Annotations

DotEnvGen

The @DotEnvGen annotation configures the behavior of the code generation process. It has the following parameters:

• filename (optional): Specifies the name of the .env file. Default value is .env.
• fieldRename (optional): Specifies the automatic field renaming behavior. Default value is FieldRename.screamingSnake.

FieldKey

The @FieldKey annotation is used to specify additional information for individual environment variables. It has the following parameters:

• name (optional): Specifies the key name for the environment variable. If not provided, the default key name is derived from the field name based on the fieldRename behavior; see FieldRename Enum for more information.
• defaultValue (optional): Specifies a default value for the environment variable if it is not found in the .env file.

FieldRename Enum

The FieldRename enum defines the automatic field renaming behavior. It has the following values:

• none: Uses the field name without changes.
• kebab: Encodes a field named kebabCase with a key kebab-case.
• snake: Encodes a field named snakeCase with a key snake_case.
• pascal: Encodes a field named pascalCase with a key PascalCase.
• screamingSnake: Encodes a field named screamingSnakeCase with a key SCREAMING_SNAKE_CASE.

Generated Code

The flutter_secure_dotenv package generates the required code based on your annotations and the provided .env file. Below is an example of the generated code:

// GENERATED CODE - DO NOT MODIFY BY HAND

// ignore_for_file: type=lint

part of 'example.dart';

// **************************************************************************
// FlutterSecureDotEnvAnnotationGenerator
// **************************************************************************

class _$Env extends Env {
  const _$Env(this._encryptionKey) : super._();

  final String _encryptionKey;
  static final Uint8List _encryptedValues = Uint8List.fromList([81, 83,...]);
  @override
  String get name => _get('name');

  @override
  int get version => _get('version');

  @override
  e.Test? get test => _get(
        'test',
        fromString: e.Test.values.byName,
      );

  @override
  e.Test get test2 => _get(
        'TEST_2',
        fromString: e.Test.values.byName,
      );

  @override
  String get blah => _get('blah');

  // Code for decrypting the values and retrieving the environment variables
  T _get<T>(
    String key, {
    T Function(String)? fromString,
  }) {
    ...
  }
}

Enum Support

The flutter_secure_dotenv package also supports decoding enum values from the encrypted .env file. Here is an example of an enum and how it can be decoded:

enum Test {
  a,
  b,
}

Make sure to import the enum file in your code:

import 'enum.dart' as e;

Then, you can define a getter in your environment class as follows:

e.Test get test2;

This setup will ensure that the encrypted value is correctly decrypted and converted to the enum type.

Limitations

• The flutter_secure_dotenv package relies on the build_runner tool to generate the required code. Therefore, you need to run dart run build_runner build whenever changes are made to the environment class or the .env file.
• It is important to keep the encryption key secure and never commit it to version control or expose it in any way.
• The package currently supports encryption using the Advanced Encryption Standard (AES) algorithm in Cipher Block Chaining (CBC) mode. Other encryption algorithms and modes may be supported in the future.
• Because we started using pointycastle now we only support CBC for now, but we will add support for other modes in the future. If you need another mode, please open an issue.

Conclusion

The flutter_secure_dotenv package simplifies the process of generating Dart classes from a .env file while encrypting sensitive values. By using this package, you can ensure that your environment variables are securely stored and accessed in your Dart application.

Rotate your secrets - make sure the old ones are not valid anymore. If you have any questions or feedback, please feel free to open an issue.

Features and Bugs

Please file feature requests and bugs at the issue tracker.