Closed pxue closed 8 years ago
Client secret authorizes the client/software to use the api to create access tokens. Everyone using the pokemon go app has the same key. No need to parameterize it. There is no way you can hijack anyone's session using this.
Yes, I thought the same. But wasn't sure anymore due to different opinions and also pxue comment. Thanks!
@wiez you're right that client secret is an authorization method, and right about everyone uses the same key. however, in normal circumstances the client secret is server side and hidden from the users, never in the client. For example, github its self says client secret should never be shared and RFC6819 touches very briefly about the dangers of exposed client secret.
Either way, this is a demo, just wanted to let people know :)
https://github.com/tejado/pokemongo-api-demo/blob/master/main.py#L138
you should parameterize this. worst case I can hijack everyone who's using this' session.
you should capture the initial oauth exchange from your app to niantic.