Misconfiguration allow users to log all app requests and actions in a production App

[ghost]

Problem

According to the documentation to get started with Reactotron you need to import the config file just in __DEV__ mode:

if(__DEV__) {
  import('./ReactotronConfig').then(() => console.log('Reactotron Configured'))
}

Reference: https://github.com/infinitered/reactotron/blob/master/docs/quick-start-react-native.md

But when you follow Reactotron config for redux integration documentation it says to import this file again, but this time without __DEV__ verification. That initializes Reactotron in a production app, allowing any user to log all our requests and actions just by connecting his device to the PC and running adb reverse tcp:9090 tcp:9090

import { createStore } from 'redux'
+ import Reactotron from './ReactotronConfig'

- const store = createStore(rootReducer)
+ const store = createStore(rootReducer, Reactotron.createEnhancer())
+ // or const store = createStore(rootReducer, preloadedState, Reactotron.createEnhancer())

Reference: https://github.com/infinitered/reactotron/blob/master/docs/plugin-redux.md

Solution

My proposal is to change the Docs to make sure that we are not logging any request or action in production applications. So other users will have this issue again.

OBS: Please let me know if I'm wrong with anything in this issue, or if there is somewhere in the docs explaining about it.

[jan-happy]

Maybe this helps? https://github.com/infinitered/reactotron/issues/173#issuecomment-606680690

[JoniVR]

I just noticed the same issue, the workaround will indeed work, but the docs should also get updated so people don't misconfigure it that way.