From 03e759042913e2ae9d45f299d6b6ad4b64ac3d2c Mon Sep 17 00:00:00 2001
From: Lucas Fernandes Nogueira <lucas@tauri.app>
Date: Sun, 6 Oct 2024 07:36:00 -0300
Subject: [PATCH] feat(core): expose invoke key for custom IPC implementations
 (#11235)

custom IPC systems that manually call Webview::on_message must know the invoke key checked by Tauri. This exposes that key in the App/AppHandle instances.

This is safe because the key is never leaked to remote denied webview URLs
---
 .changes/expose-invoke-key.md | 5 +++++
 crates/tauri/src/app.rs       | 9 +++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 .changes/expose-invoke-key.md

diff --git a/.changes/expose-invoke-key.md b/.changes/expose-invoke-key.md
new file mode 100644
index 000000000..8c7f8c2e1
--- /dev/null
+++ b/.changes/expose-invoke-key.md
@@ -0,0 +1,5 @@
+---
+"tauri": patch:enhance
+---
+
+Added `App::invoke_key` and `AppHandle::invoke_key` for custom invoke systems that rely on manual `Webview::on_message` calls.
diff --git a/crates/tauri/src/app.rs b/crates/tauri/src/app.rs
index aaf09897c..e8512e56d 100644
--- a/crates/tauri/src/app.rs
+++ b/crates/tauri/src/app.rs
@@ -878,6 +878,15 @@ macro_rules! shared_app_impl {
           webview.resources_table().clear();
         }
       }
+
+      /// Gets the invoke key that must be referenced when using [`crate::webview::InvokeRequest`].
+      ///
+      /// # Security
+      ///
+      /// DO NOT expose this key to third party scripts as might grant access to the backend from external URLs and iframes.
+      pub fn invoke_key(&self) -> &str {
+        self.manager.invoke_key()
+      }
     }
 
     impl<R: Runtime> Listener<R> for $app {