Open hellokids86 opened 5 years ago
the key was read from your env config file, so I guess it is safe?
Not really, someone can always sniff the http requests off a device and have access to the twitter keys and secrets. Secrets should never be distributed within the app. Twitter has a way to generate a authorization URL server side that can then be passed to your APP to authenticate. This, I feel is the best practice for security.
sending http requests is handled in twitter library under the hood so I guess it is not the case.
from the React Native docs: https://reactnative.dev/docs/security#storing-sensitive-info
Never store sensitive API keys in your app code. Anything included in your code could be accessed in plain text by anyone inspecting the app bundle. Tools like react-native-dotenv and react-native-config are great for adding environment-specific variables like API endpoints, but they should not be confused with server-side environment variables, which can often contain secrets and api keys.
seems like sniffing HTTP requests isn't the only attack vector here.
I'm running into this same question/observation. Using the consumer secret and consumer key in the RN app will mean its publicly accessible to anyone with access to the application bundle (anyone who has installed the RN app). Firebase's Twitter sign in on the web doesn't require these two secrets in the client application (they are securely stored in the Firebase backend), curious as to why these are needed in a RN app.
Hello,
Is there a way to use this so that the Consumer Secret does not live on the app? This does not seem secure at all. Can this package be passed an authorization URL that is generated server side instead of the consumer key and secret?