How Secure is this API

[MuawizChaudhary]

Hi,

How secure do you believe this API is, if I wanted to use it in the backend of a website using Flask hosted on Heroku?

One thing I am concerned about is having users of the website passing in their password and username to my website. Ideally, the Venmo oauth would take care of that. I don't believe that happens here tho.

Is there a possibility to make this API more secure?

[mmohades]

I don't think that's a good idea to have other users input their username and password on a third party website, unless it's only for your personal use. It's your responsibility to make your backend secure and your users to trust the service, and I don't recommend doing it in the first place.

As far as the API wrapper, it makes HTTPS requests directly to the venmo phone app API, thus encrypted. You can see the whole authentication process here: https://github.com/mmohades/Venmo/blob/master/venmo_api/apis/auth_api.py

[mmohades]

Also, here is where the requests are made from for all the venmo API endpoints:

Venmo/venmo_api/utils/api_client.py

Line 114 in 1eb72c9

def request(self, method, url, session,

[MuawizChaudhary]

I notice in the Venmo Documentation there is this mention of client_secret in order to retrieve the acess token. Do you happen to know how to access that in this application?

[MuawizChaudhary]

I don't think that's a good idea to have other users input their username and password on a third party website, unless it's only for your personal use. It's your responsibility to make your backend secure and your users to trust the service, and I don't recommend doing it in the first place.

Would a local app be better in terms of security?

[mmohades]

I didn't catch what you meant by the client_secret, did you mean otp-secret? That's used in the 2-factor auth. Please check the auth link I shared previously.

I don't think that's a good idea to have other users input their username and password on a third party website, unless it's only for your personal use. It's your responsibility to make your backend secure and your users to trust the service, and I don't recommend doing it in the first place.

Would a local app be better in terms of security?

You need to think about a user's access token as important as the password to their bank account because Venmo technically have access to your bank account. Thus, that would make you responsible for their bank account as well. I'd suggest to keep your app only for your personal use or to be run by each user locally, and make sure they are aware of that knowing someone's access token means having full access to their Venmo account which also means their bank account for sending money. Thus, it's important to keep access tokens somewhere secure.

[collindutter]

@mmohades I think he's referring to the Server Side Flow as documented here: https://venmo.com/docs/authentication.

@MuawizChaudhary I don't think it's possible to get a client_secret without logging into their discontinued developer portal :(