In an effort to keep db credentials completed separate from our R scripts and specifically github, the team I work on stores these things in our r profile files.
We are looking into hosting dashboards / apps on shinyapps.io and according to the docs, it would appear that this practice is not compatible. The suggestion I found in the docs is to utilize the config package. Unless I'm misunderstanding, this practice still amounts to including the un/pw values in code it would just be in a separate config file deployed to shinyapps and version controlled in github.
My questions are:
Is my understanding correct?
How are other users of shinyapps.io appropriately dealing with this secure information?
I think you're on the right track here. I don't know that I can completely comment on "best practices" without a bit more reading on/exploration of the topic, but config.yml is definitely my favorite approach. Nothing says the config.yml file needs to be stored in GitHub (in many cases, it might not be for secrecy). However, it is deployed with your code bundle to shinyapps.io.
One of the really nice benefits of the config package is that it can pivot based on the environment (i.e. shinyapps.io can connect to a different database than locally or on a RStudio Connect instance by using the R_CONFIG_ACTIVE variable shinyapps, noted in the shinyapps docs here )
After that, I would recommend a thorough perusal of the shinyapps docs. It has several tidbits in there about security, IP address permissiveness, etc.