tejado
commented
8 years ago Closed pxue closed 8 years ago
tejado
commented
8 years ago 
ghost
commented
8 years ago Client secret authorizes the client/software to use the api to create access tokens. Everyone using the pokemon go app has the same key. No need to parameterize it. There is no way you can hijack anyone's session using this.
tejado
commented
8 years ago Yes, I thought the same. But wasn't sure anymore due to different opinions and also pxue comment. Thanks!
pxue
commented
8 years ago @wiez you're right that client secret is an authorization method, and right about everyone uses the same key. however, in normal circumstances the client secret is server side and hidden from the users, never in the client. For example, github its self says client secret should never be shared and RFC6819 touches very briefly about the dangers of exposed client secret.
Either way, this is a demo, just wanted to let people know :)
https://github.com/tejado/pokemongo-api-demo/blob/master/main.py#L138
you should parameterize this. worst case I can hijack everyone who's using this' session.
you should capture the initial oauth exchange from your app to niantic.