Open srad opened 8 years ago
rogeriopvl
commented
8 years ago Hi @srad, thanks for reporting. I know that's not very good karma, but I'm not very worried about it, in case of abuse I can always reset the secret. Anyway, I did it this way because I could not think of a better way to do it, and I want to avoid the user having the hassle of creating an app. Any ideas?
srad
commented
8 years ago I mean you do anyway create an application key+secret for the user why don't just integrate this in the initial run? I guess it probably wouldn't be that convenient then anymore, but at least be independent from your application key. Because if you remove your keys at a point in future, then the app would still work.
In any other scenario, I guess I would at least put it somewhere on a server and request it via ajax over SSL with http basic auth or something, so search engine would index it and nobody could just open the file by opening an URL. It wouldn't hide the location but it wouldn't at least be in a public repo and not be indexed by search engines.
Hi,
the file https://github.com/rogeriopvl/downstagram/blob/master/lib/config.js
contains your app secret + key, you certainly want to remove that from git and delte the key in your account, if they're not fake.