Flutter: Hive files exposed to user on (theoricaly all) platforms and potentially common between different apps

[QuentinCG]

Steps to Reproduce
Do Hive.initFlutter()

Code sample

Hive.initFlutter() is using getApplicationDocumentsDirectory which is designed to provide a folder accessible to users and therefor also "common between different apps" (source: "path_provider" package) !
(go to More info section to see the folders depending on the platform)

Version

• Platform: Mac, Windows, Linux, (iOS and Android theoricaly but not in practice even though it seems to impact some people: hive_flutter : getLibraryDirectory option for IOS  #840)
• Flutter version: [3.0.5]
• Hive version: [all, including 2.2.3]

How to fix

Use getApplicationSupportDirectory instead of getApplicationDocumentsDirectory or at least allow to use completly other folder at https://github.com/hivedb/hive/blob/3b12c31a221f97f5ec86fe20df63515aeedf88f0/hive_flutter/lib/src/hive_extensions.dart#L16

Other solution: Add a comment to explain the implication of initFlutter without using getApplicationSupportDirectory (but with this solution, most users will use the "default bad choice"...
Because most users should do :

import 'package:flutter/foundation.dart' show kIsWeb;

if (kIsWeb) {
  await Hive.initFlutter();
} else {
  await Hive.initFlutter((await getApplicationSupportDirectory()).path);
}

and not await Hive.initFlutter(); but is really dirty as it implies we need to rely on path.join(badDir, goodDir) to understand what we mean... (this function is not intended this way...) https://github.com/hivedb/hive/blob/3b12c31a221f97f5ec86fe20df63515aeedf88f0/hive_flutter/lib/src/hive_extensions.dart#L17

Ressources

path_provider documentation:

/// Use this for files you don’t want exposed to the user. Your app should not
/// use this directory for user data files.
/// (...)
getApplicationSupportDirectory

/// Path to a directory where the application may place data that is
/// user-generated, or that cannot otherwise be recreated by your application.
/// On iOS, this uses the `NSDocumentDirectory` API. Consider using
/// [getApplicationSupportDirectory] instead if the data is not user-generated.
/// (...)
getApplicationDocumentsDirectory

More Info

Here are where data are stored depending on the function called:

getApplicationDocumentsDirectory:

• Windows: C/Users/{username}/Documents/ (User accessible AND files common between apps 👎👎 )
• Linux: /home/{user}/ (User accessible AND files common between apps 👎👎 )
• Android : /data/user/0/{YourAppName}/app_flutter/ (Not really accessible so I guess it is "ok" & dependent on app 👍)
• MacOS (Not tested, but I guess, it is like Linux & Windows 👎👎 )
• IOS (Not tested, but from documentation, it is specified we should NOT use this function... 👎 )
• Web: Not using this function (👍 )

getApplicationSupportDirectory :

• Windows: C:\Users\{user}\AppData\Roaming\{YourAppOrganization}\{YourAppName}/ (Not accessible & dependent on app 👍 )
• Linux: /home/{user}/.local/share/{YourAppName]/ (Not accessible & dependent on app 👍 )
• Android: /data/user/0/{YourAppName}/files/ (Not accessible & dependent on app 👍)
• MacOS (Not tested, but I guess, it is like Linux & Windows 👍 )
• IOS (Not tested, but from documentation, it is specified we SHOULD use this function... 👍 )
• Web: Not using this function (👍 )

[manafire]

Agreed. There's been some ongoing discussion on it for some time now: #746.
There's a comment in there that you can apparently use Hive.init and pass it whatever directory you'd like since initFlutter effectively calls init anyway. e.g.:

  final suppDir = await getApplicationSupportDirectory();
  Hive.init(suppDir.path);

I've never used Hive before so hopefully it works well; migration would be another case.

[PhilipPurwoko]

In Flutter I cloud set the path so it was not visible in Files

String? path = (await getApplicationSupportDirectory()).path;
await Hive.initFlutter();
await Hive.openBox(boxApp, path: path);
await Hive.openBox(boxUser, path: path);