Closed muratbaskicioglu closed 2 years ago
cuongdevjs
commented
2 years ago client_secret is forced because I need it to get access_token. But if you only want to get code and get access_token on serverSide, please pass isOnlyGetCode prop = true and a random string to client_secret.
namnm
commented
10 months ago Can we make this clear in the documentation so that people know it is a security vulnerability? And if people want to get access token in a more secure way, then suggest them using 3-legged method with the server which holds the secret instead?
cuongdevjs
commented
10 months ago Can we make this clear in the documentation so that people know it is a security vulnerability? And if people want to get access token in a more secure way, then suggest them using 3-legged method with the server which holds the secret instead?
Hi. Instagram only supports getting the code for you, and if you want to get access_token or the user's profile, you need to do it on the server side. But in this library, I want to support them only with the client side, so if you worry about security, you can consider take my above solution, please use isOnlyGetCode prop, and just pass a random string to client_secret field
namnm
commented
10 months ago Yes, I understand. I mean to put those information in the README, so people know about this.
cuongdevjs
commented
10 months ago Yes, I understand. I mean to put those information in the README, so people know about this.
thank you. I'll do more clear documents when I am free. It would be great if you could make a PR.
I see some of the social media platforms need to use the client secret that visible for end users in the example. I think it doesn't make sense to use the client secret this way and I consider that as a security vulnerability. So, does that matter if we use the client secret this way?