feat(core): expose invoke key for custom IPC implementations (#11235)

custom IPC systems that manually call Webview::on_message must know the invoke key checked by Tauri. This exposes that key in the App/AppHandle instances. This is safe because the key is never leaked to remote denied webview URLs
2026-04-01 10:01:07 +02:00 · 2024-10-06 07:36:00 -03:00
parent e2a4da027c
commit 03e7590429
2 changed files with 14 additions and 0 deletions
--- a/.changes/expose-invoke-key.md
+++ b/.changes/expose-invoke-key.md
@@ -0,0 +1,5 @@
+---
+"tauri": patch:enhance
+---
+
+Added `App::invoke_key` and `AppHandle::invoke_key` for custom invoke systems that rely on manual `Webview::on_message` calls.
--- a/crates/tauri/src/app.rs
+++ b/crates/tauri/src/app.rs
@@ -878,6 +878,15 @@ macro_rules! shared_app_impl {
          webview.resources_table().clear();
        }
      }
+
+      /// Gets the invoke key that must be referenced when using [`crate::webview::InvokeRequest`].
+      ///
+      /// # Security
+      ///
+      /// DO NOT expose this key to third party scripts as might grant access to the backend from external URLs and iframes.
+      pub fn invoke_key(&self) -> &str {
+        self.manager.invoke_key()
+      }
    }

    impl<R: Runtime> Listener<R> for $app {