lukepighetti
commented
5 years ago Yeah I don't understand this at all. I didn't know oauth clients ever needed the secret?
Open pitazzo opened 5 years ago
lukepighetti
commented
5 years ago Yeah I don't understand this at all. I didn't know oauth clients ever needed the secret?
tyrinj1120
commented
4 years ago Other implementations for Facebook, Google etc don't require hard coding in the app. Why is this different? What are the options here for best practice?
lukepighetti
commented
4 years ago The only thing I can think of is to provide it over something like Remote Config but to be completely honest with you I think the method employed by this package is not safe and it shouldn't be used.
tyrinj1120
commented
4 years ago @lukepighetti I thought of that too but then you would have to secure that endpoint too. Then it becomes a catch 22 situation. The Twitter development ecosystem is a mess. I'm not trying to dismiss the great work of the Twitter team.
lukepighetti
commented
4 years ago I agree it doesn't make sense.
As long as this plugin requires the consumer key and the consumer secret in order to build a
TwitterLogininstance, which is the best way to handle this situation? How secure is to hardcode those keys? Could be dangerous exposing them in a version control system?Thanks in advance