Exposing secret on the client side is bad practice

[fniewijk]

I was looking at using your package, but when I read your code and compare it with the manual it says that you should not share the app_secret client side. It suggests you should use the client side implicit authentication. link

Are you aware of this? This looks like an issue that is resolvable. The implicit authentication does not need the secret.

[gitstud]

The docs here show where to put the app secret but not where to get it, you can serve the app secret from your server and then connect it with however you manage state

[codeundercoverdev]

@gitstud @fniewijk doesn't that still expose the app secret to the user when you fetch it from your server?

[victor871129]

@gitstud @fniewijk doesn't that still expose the app secret to the user when you fetch it from your server?

Yes, that's why you need to check the integrity of your app with a Tampering Detection solution and only store the secret on the phone RAM

[chr4ss1]

yeah, this is a bit design flaw in this lib, there should never be appSecret exposed anywhere on the JS side, memory or no memory.

it is working for me with responseType=code, and appSecret="completelyrandomNONVALID".

Looks like IG does not use it:

https://developers.facebook.com/docs/instagram-basic-display-api/guides/getting-access-tokens-and-permissions

[hungdev]

I added an option for expose secret, read doc here

[jaweherncir]

Hello please some hir con help me to get the profil photo of Facebook account with nodejs please