Which parts of the code is shared by default in shiny

mubarakacademic · May 19, 2025, 11:44am

I am new to shiny, and I would like to create an authentication page for my app. I tried to implement it this way:

# UI
auth_page <- fluidPage(
      tagList(
        textInput("password_input", "Enter password:"),
        actionButton("submit_secret", "Submit"),
      )
    )

main_page <- fluidPage(
    # some private stuff
)

# Server logic
server <- function(input, output, session) {

  ### Authentication logic
  auth <- reactiveValues(
    authenticated = FALSE
  )

  observeEvent(input$submit_secret, {
    if (input$password_input == SOME_PASSWORD) {
      auth$authenticated <- TRUE
    } else {
      
    }
  })

  output$current_page <- renderUI({
    if (auth$authenticated != TRUE) {
      auth_page
    } else {
      main_page 
    }
  })
}


shinyApp(ui = uiOutput("current_page"), server = server)

And this works. The authentication page is shown first, and if the user inputs the correct password, the main page is shown. However, my question is: does shiny send the main_page to the browser but keeps it hidden? or does it not send the main_page at all until the user is authenticated?
That is because I do not want unauthenticated users to access main_page via inspect tool. My assumption is that shiny does not share any code at all unless you explicitly tell it to render it.

daattali · May 21, 2025, 6:05am

To strictly answer your question: main_page will NOT get sent to the browser in this code until the password is entered correctly. The main_page object will exist on the server side, but will only be rendered dynamically when authenticated. So theoretically speaking, yes this will work.

However, this is a very hacky way to do authentication, and beyond the educational value of understanding how this works, I would not recommend using this in a real shiny app. Use any of the many authentication packages that exist.