Closed kraenhansen closed 6 years ago
I found https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ which mentions this is bad practice:
It is critical that developers never include their client_secret in public (mobile or browser-based) apps.
Where would that simple server run? And using Keytar would probably not work - it's a secret to me as a developer, not the user.
Pls use the proxy server which returns your keys or makes all your API requests to Github. Storing keys secretly is not the role of this package.
The most secure way is your apps makes no requests to Github and your proxy server does the requests.
What proxy server?
No matter how the secret is retrieved, it will end up in memory at the users of the Electron app, which must not be considered secure. What am I missing here?
It is not the most secure way to use this package.
I meant proxy is to make all requests to Github instead of your electron apps. If a server makes all requests to Github and your apps makes no requests and get the data from the server which has keys, it is the most secure.
It is not the most secure way to use this package.
Wouldn't it be appropriate if the package had a disclaimer then? It's basically encouraging developers to leak their secrets to users?
This package is MIT Licensed. No warranty there. I am not intended to make this package secure.
I am a bit surprised that this package expects the client secret to be know in the Electron source code. Why is that not a security vulnerability?