This repository has been archived by the owner on Sep 3, 2020. It is now read-only.
Including Client Secret is security risk #43
Comments
|
We should always set the approval_prompt to "force" on Line 63 in 3144e06 Read more about the approval_prompt on https://developers.google.com/accounts/docs/OAuth2WebServer. Embedding client secret is less of a concern, if the user doesn't give you blanket permissions to skip the consent dialog. So, the client should never ask for a blanket permission. |
|
Ah ok I wasn't familiar with the force prompt. |
|
Reopening. By default, approval_prompt is set to auto. We should make sure that the prompt is enforced. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I am slightly concerned about the hard-coded client secret included in this repo. I think it would be much better to force users to create their own (although I understand that it is hard-coded for ease of use).
The problem is that this makes it very easy for another application to impersonate this app and gain offline access to a user's account. In the case of Drive files, this can be very sensitive information,
The text was updated successfully, but these errors were encountered: