search

imsun / gitment

A comment system based on GitHub Issues.
https://imsun.github.io/gitment/
MIT License
4.06k stars 346 forks source link

Oauth2 Client_secret on frontend is always a security issue #179

Open kadary opened 5 years ago

kadary commented 5 years ago

Hello,

You asked to fill an issue if we think the Oauth2 app *client_secret is security risk in frontend.

Just to let you know that your client secret can be use to manipulate other GitHub resources using other mechanism than Oauth2 authorization_code flow. They can be use in GitHub authorization APIs to gain informations about your end-user for example (https://developer.github.com/v3/oauth_authorizations/).

szabolcs-szilagyi commented 3 years ago

Hello @kadary,

I've been thinking about the same when reading about client_secret to be used on the front-end. After reading your ticket about it the thing that made it even more funnier that we even think alike with our profile pictures. :laughing:

GerkinDev commented 3 years ago

Well, when I saw this, I jumped out from my seat. I expected some kind of hashing or something to hide it.

So, I've moved to https://utteranc.es/, which does not have this security issue.

sariabiha commented 2 years ago

https://advance-esthetic.us/rf-facial-machines