You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Make the call NativeClient.login(refresh_tokens=True) default, instead of the current default refresh_tokens=False.
This is to make scripting more convenient for folks, so tokens won't expire in the default setting. We'll also need to add warning somewhere that refresh tokens are default so folks know it's a small sacrifice of security for usability.
The text was updated successfully, but these errors were encountered:
I'm not sure this is a good idea. Especially if we want to submit this to pypi for general use. Do we really want the default (which is what everyone will use in practice) to leave refresh tokens behind wherever anyone plays around with this code? It seems to me we only want refresh tokens to be generated on systems where the user is pretty confident they have privacy. The warning in the README isn't sufficient to guarantee the code is only being used on private systems. IMO, telling developers how to enable refresh tokens is actually a small price to pay for a sane default.
Further, when a refresh token escapes into the wild, (a) there's little or no warning to the user that it happened, and (b) it's nontrivial for the user to figure out how to revoke it. I think the user should have to explicitly think about enabling refresh tokens.
Make the call
NativeClient.login(refresh_tokens=True)
default, instead of the current defaultrefresh_tokens=False
.This is to make scripting more convenient for folks, so tokens won't expire in the default setting. We'll also need to add warning somewhere that refresh tokens are default so folks know it's a small sacrifice of security for usability.
The text was updated successfully, but these errors were encountered: