The API response includes client_id and client_secret information from our environment file. According to OAuth best practices, client_secret should never be exposed to the client.
To Reproduce
Steps to reproduce the behavior:
Create a magic link from the connections page.
Open the magic link and the developer console -> network tab.
Click on any of the available software icons.
Verify the getCredentials API response.
Expected behavior
These credentials should not be available on the client side.
Screenshots
Desktop (please complete the following information):
OS: Windows 11
Browser: Chrome
Version: 126.0.6478
Additional context
I understand that these values are used to make the next request (authorize), but I am still not convinced that the client secrets should be exposed on the client side.
While attempting to use the magic link to connect with any of the software by clicking the icon, an API call is made:
http://localhost:3000/connections-strategies/getCredentials?projectId=390ad43f-c1e3-448a-9e96-d651e9e227d3&type=JIRA_TICKETING_CLOUD_OAUTH
The API response includes client_id and client_secret information from our environment file. According to OAuth best practices, client_secret should never be exposed to the client.
To Reproduce Steps to reproduce the behavior:
Create a magic link from the connections page. Open the magic link and the developer console -> network tab. Click on any of the available software icons. Verify the getCredentials API response. Expected behavior These credentials should not be available on the client side.
Screenshots![image](https://github.com/panoratech/Panora/assets/22959614/7dd9b870-14fe-4fc1-8202-45d10da97ba6)
Desktop (please complete the following information):
OS: Windows 11 Browser: Chrome Version: 126.0.6478 Additional context I understand that these values are used to make the next request (authorize), but I am still not convinced that the client secrets should be exposed on the client side.