Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Stupid question: is there a secure way to specify `clientSecret`?
See original GitHub issueTo make gitalk work, we’re supposed to specify some information from oauth as follows:
const gitalk = new Gitalk({
clientID: 'GitHub Application Client ID',
clientSecret: 'GitHub Application Client Secret',
repo: 'GitHub repo',
owner: 'GitHub repo owner',
admin: ['GitHub repo owner and collaborators, only these guys can initialize github issues'],
id: location.pathname, // Ensure uniqueness and length less than 50
distractionFreeMode: false // Facebook-like distraction free mode
})
gitalk.render('gitalk-container')
My question is whether it’s a security hazard to have the clientID and clientSecret pasted in that location, and of not whether there’s a better, more secure way to store it. (I tend to use jekyll and GitHub pages…)
Thanks for any guidance; I’m aware that this is something of a stupid question
Issue Analytics
- State:
- Created 4 years ago
- Comments:8
Top Results From Across the Web
API-Managment Securing and Products - Microsoft Q&A
Hi This is probably a stupid or at best awkward question. We had an api secured in Azure AD with roles(scopes) associated with...
Read more >How to Secure Your .NET Web API with Token Authentication
With OAuth 2.0 client credentials, authenticating a client app is two-step process: first, the client sends its API credentials (a client ID and ......
Read more >ABAP 750, OAuth2, Client Credentials Flow --> How to store ...
Hi All, We have a 7.50 ABAP NW system and want to connect to an oauth2 protected web-service. The SAP Standard OAuth connectivity...
Read more >Is there a best practice for hiding API keys? : r/iOSProgramming
Restating our original question: “How do I store secrets securely on the client?” Our answer: “Don't (but if you must, obfuscation wouldn't hurt) ......
Read more >Solved: How to get access token with other instance client...
The way we have chosen to implement is to have a different Client ID/Client Secret in each environment for the same account. For...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Probably I’m missing something but … isn’t it Gitalk a client-side plugin/library. As such we have to initialize the gitalk instance on the page. So, even if I put my secret in a env variable at the end will be dumped into the html that the browser loads so it is publicly available. Am I missing something here?
@jdossgollin Putting in secret keys directly is definitely a bad idea.