Uplink Security

Sharing

Whoever you share the text of your server Uplink key with will have the same access to your app. So be careful if you are releasing your code online or sharing it outside your organisation. You may want to modify your scripts to remove lines with the plain text of the Uplink key:

anvil.server.connect("<your Uplink key>")

You can instead read the key in from a file or an environment variable, and .gitignore any file you use to set the key locally. That way it is not shared with people you don’t trust fully. For instance:

with open("<file with secret uplink key in first line>", 'r') as fin:
  uplink_key = fin.read().splitlines()[0]

anvil.server.connect(uplink_key)

Sometimes you want to connect a system to your app, but you don’t want to trust that system with your data. It might be an IoT device that could be easily compromised, or it might be a script running on a customer’s machine.

The Uplink has a mode that gives it the same privileges as client-side code. Client-side code needs to have its privileges locked-down because the user can control the code that runs in their browser. The same logic applies to untrusted Uplink code.

For that reason, you can use a special ‘client’ Uplink key that gives your script the more restricted privileges of client-side code.

The uplink dialog allows you to select both server and client authentication keys:

Part of the Uplink dialog, where you can select Server or Client versions of the Uplink.

You can use either one from different Uplink scripts - you can have separate server and client Uplink scripts connecting to your app at the same time.

Server uplink code (connected with the server key) has the same privileges as server module code. As well as calling server functions, it can access data tables, log users in, and register new server functions with @anvil.server.callable. Use the server key for trusted code.

Client code (connected with the client key) has the same privileges as code in your app’s Forms. It cannot access Data Tables unless they have been set to client-accessible, and it cannot register server functions. It can still call server functions, which allows you to selectively expose functionality by writing server functions that perform only the operations you’re willing to expose. This is the security best-practice that applies to Form code as well.

Development vs. Published apps

If your app has been published, you have two Uplink keys:

Part of the Uplink dialog, where you can select development or published versions of the Uplink key.

The Uplink key ending in “-DEV” connects to the “development” version of your app. The Uplink key that doesn’t end in “-DEV” connects to the “published” version of your app.

To check whether your Uplink is connected to the development or published version of your app, you can use anvil.app.branch, which will tell you whether you’re on master (development) or published (published).

If you start with an “unpublished” app, and then publish a version of your app while you have an Uplink connected, it’s good practice to reconnect your uplink, which will cause it to reconnect to the “published” branch.

Where your app will look for server functions depends on the version of your app your Uplink is connected to, and the version of your app that’s calling your server functions.

App running in development

An app running in development will look for server functions in these locations, in the following order:

  1. Uplink connected to “development” version
  2. Uplink connected to “published” version
  3. Server Modules

If your Uplink is connected to the “published” version of your app, your uplink will also receive server calls from the “development” version if those server functions aren’t registered on an Uplink connected to the “development” version of your app.

Published app running

A live, published app will look for server functions in these locations, in the following order:

  1. Uplink connected to “published” version
  2. Server Modules

If your Uplink is connected to the “development” version of your app, your Uplink will not receive any server calls from the “published” version of your app.