-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hi 👋 #33
Comments
hey, I look at your readme and your plugin demands the user to use the app secret in ios and android. This is very bad practise as soon as an attacker gets the apk and decompile the code and he also gets the app secret. You should never use code flow out side a server only code flow + pkce is a proper options. Are you aware of that? Update: Maybe Twitterkit manages the secure holding of the appSecret but it seems odd though. |
I think your PR would be better suited for https://github.com/ionic-team/capacitor/blob/master/site/docs-md/community/plugins.md#authentication. There are already a couple of authentication plugins on that list and I don't want to curate a list myself because Capacitor already has one. |
It makes no sense, that's the way twitterkit handles it. Ok no problem. PR was already submitted to the docs. |
TwitterKit forcing you to do so, does not mean that it is generally a good idea. Of course you don't have to believe me but please search the web and look for resources which do recommend the usage of code flow and the appSecret in public native apps. |
I wrote this plugin that does the oauth stuff for Twitter and linked your lib as a related project.
can I send a PR linking my plugin as well?
https://github.com/stewwan/capacitor-twitter
The text was updated successfully, but these errors were encountered: