-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling API keys #20
Comments
Yeah I don't understand this at all. I didn't know oauth clients ever needed the secret? |
Other implementations for Facebook, Google etc don't require hard coding in the app. Why is this different? What are the options here for best practice? |
The only thing I can think of is to provide it over something like Remote Config but to be completely honest with you I think the method employed by this package is not safe and it shouldn't be used. |
@lukepighetti I thought of that too but then you would have to secure that endpoint too. Then it becomes a catch 22 situation. The Twitter development ecosystem is a mess. I'm not trying to dismiss the great work of the Twitter team. |
I agree it doesn't make sense. |
As long as this plugin requires the consumer key and the consumer secret in order to build a
TwitterLogin
instance, which is the best way to handle this situation? How secure is to hardcode those keys? Could be dangerous exposing them in a version control system?Thanks in advance
The text was updated successfully, but these errors were encountered: