I have an Electron app scaffolded using ERB (electron-react-boilerplate) which needs to read and write data from/to a Sqlite database. I am using BetterSqlite3 for the database and React for the renderer.
From what I can tell looking at the Electron documentation it seems that the actual db integration (CRUD functions) takes place on Electron's side (i.e. in main).
Is it possible/advisable to have the database logic on the renderer (React) side? If not, do you make use of IPC to send and receive the db data between Electron and React? Are there any downsides to doing this (performance, security, etc.) vs having db logic in React?
Thanx in advance for your time and assistance.
The renderer process should be dumb, ie it should only exist for the purposes of presentation. Old versions of Electron allowed/promoted nodeIntegration
of true in BrowserWindows, other versions allowed the use of remote
in order to pull modules that were needed on the UI.
This is not secure.
There are a number of security vulnerabilities that allowing the renderer process access to modules such as a DB or OS-level control (ie. file system) which is likely why the Electron team implemented controls such as contextIsolation
, sandbox
on the BrowserWindow.webPreferences property (or - just to align it with Chromium). The best practice is to only allow the main process to access the DB, and communicate however is necessary to the renderer process via IPC.
I've written a post on the history of Electron and how things have changed, and what we should be doing now. I'm also a maintainer of a secure Electron template for near two years (as of this writing).