Handling API keys #20
Comments
|
Yeah I don't understand this at all. I didn't know oauth clients ever needed the secret? |
|
Other implementations for Facebook, Google etc don't require hard coding in the app. Why is this different? What are the options here for best practice? |
|
The only thing I can think of is to provide it over something like Remote Config but to be completely honest with you I think the method employed by this package is not safe and it shouldn't be used. |
|
@lukepighetti I thought of that too but then you would have to secure that endpoint too. Then it becomes a catch 22 situation. The Twitter development ecosystem is a mess. I'm not trying to dismiss the great work of the Twitter team. |
|
I agree it doesn't make sense. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As long as this plugin requires the consumer key and the consumer secret in order to build a
TwitterLogininstance, which is the best way to handle this situation? How secure is to hardcode those keys? Could be dangerous exposing them in a version control system?Thanks in advance
The text was updated successfully, but these errors were encountered: