drive icon indicating copy to clipboard operation
drive copied to clipboard

Published 20 hours ago verified publisher icon rakyll

Including Client Secret is security risk

Open hatboysam opened this issue 10 years ago • 3 comments

I am slightly concerned about the hard-coded client secret included in this repo. I think it would be much better to force users to create their own (although I understand that it is hard-coded for ease of use).

The problem is that this makes it very easy for another application to impersonate this app and gain offline access to a user's account. In the case of Drive files, this can be very sensitive information,

hatboysam avatar Dec 04 '14 19:12 hatboysam

We should always set the approval_prompt to "force" on https://github.com/rakyll/drive/blob/3144e0613978309bf32033e578045f2e761b0975/remote.go#L63.

Read more about the approval_prompt on https://developers.google.com/accounts/docs/OAuth2WebServer.

Embedding client secret is less of a concern, if the user doesn't give you blanket permissions to skip the consent dialog. So, the client should never ask for a blanket permission.

rakyll avatar Dec 04 '14 21:12 rakyll

Ah ok I wasn't familiar with the force prompt.

hatboysam avatar Dec 04 '14 22:12 hatboysam

Reopening.

By default, approval_prompt is set to auto. We should make sure that the prompt is enforced.

rakyll avatar Dec 04 '14 23:12 rakyll