naelob
commented
1 week ago Thank you so much ! I am going to mitigate this
Closed subin-chella closed 1 week ago
naelob
commented
1 week ago Thank you so much ! I am going to mitigate this
While attempting to use the magic link to connect with any of the software by clicking the icon, an API call is made:
http://localhost:3000/connections-strategies/getCredentials?projectId=390ad43f-c1e3-448a-9e96-d651e9e227d3&type=JIRA_TICKETING_CLOUD_OAUTH
The API response includes client_id and client_secret information from our environment file. According to OAuth best practices, client_secret should never be exposed to the client.
To Reproduce Steps to reproduce the behavior:
Create a magic link from the connections page. Open the magic link and the developer console -> network tab. Click on any of the available software icons. Verify the getCredentials API response. Expected behavior These credentials should not be available on the client side.
Screenshots
Desktop (please complete the following information):
OS: Windows 11 Browser: Chrome Version: 126.0.6478 Additional context I understand that these values are used to make the next request (authorize), but I am still not convinced that the client secrets should be exposed on the client side.