search

benjreinhart / react-native-aws3

Pure JavaScript React Native library for uploading to AWS S3
MIT License
399 stars 151 forks source link

Security of having secret keys in code #12

Closed yogiben closed 7 years ago

yogiben commented 7 years ago

Should we assume that attackers can get access to the secret keys in our code?

benjreinhart commented 7 years ago

Hey @yogiben... Yes I believe that is possible so long as they get access to your code.

However, you could wrap this library with your own to first call your server to get the keys (and that way they wouldn't be hardcoded into the binary) or better yet, if you feel up to it, submit a PR that allows users to opt in to functionality that first calls the server to get the s3 policy and uses that rather than generating it on the client.

There was a similar thread with some more thoughts of mine on this topic in #3.