uraway
commented
6 years ago Why not using simple server keeping keys or Keytar?
Closed kraenhansen closed 6 years ago
kraenhansen
commented
6 years ago I found https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ which mentions this is bad practice:
It is critical that developers never include their client_secret in public (mobile or browser-based) apps.
kraenhansen
commented
6 years ago Where would that simple server run? And using Keytar would probably not work - it's a secret to me as a developer, not the user.
uraway
commented
6 years ago Pls use the proxy server which returns your keys or makes all your API requests to Github. Storing keys secretly is not the role of this package.
The most secure way is your apps makes no requests to Github and your proxy server does the requests.
kraenhansen
commented
6 years ago What proxy server?
No matter how the secret is retrieved, it will end up in memory at the users of the Electron app, which must not be considered secure. What am I missing here?
uraway
commented
6 years ago It is not the most secure way to use this package.
I meant proxy is to make all requests to Github instead of your electron apps. If a server makes all requests to Github and your apps makes no requests and get the data from the server which has keys, it is the most secure.
kraenhansen
commented
6 years ago It is not the most secure way to use this package.
Wouldn't it be appropriate if the package had a disclaimer then? It's basically encouraging developers to leak their secrets to users?
uraway
commented
6 years ago This package is MIT Licensed. No warranty there. I am not intended to make this package secure.
I am a bit surprised that this package expects the client secret to be know in the Electron source code. Why is that not a security vulnerability?