flutter_twitter_login icon indicating copy to clipboard operation
flutter_twitter_login copied to clipboard

Published 20 hours ago verified publisher icon roughike

Handling API keys

Open pitazzo opened this issue 5 years ago • 5 comments

As long as this plugin requires the consumer key and the consumer secret in order to build a TwitterLogin instance, which is the best way to handle this situation? How secure is to hardcode those keys? Could be dangerous exposing them in a version control system?

Thanks in advance

pitazzo avatar Apr 18 '19 20:04 pitazzo

Yeah I don't understand this at all. I didn't know oauth clients ever needed the secret?

lukepighetti avatar Sep 26 '19 17:09 lukepighetti

Other implementations for Facebook, Google etc don't require hard coding in the app. Why is this different? What are the options here for best practice?

tyrinj1120 avatar Feb 10 '20 13:02 tyrinj1120

The only thing I can think of is to provide it over something like Remote Config but to be completely honest with you I think the method employed by this package is not safe and it shouldn't be used.

lukepighetti avatar Feb 10 '20 15:02 lukepighetti

@lukepighetti I thought of that too but then you would have to secure that endpoint too. Then it becomes a catch 22 situation. The Twitter development ecosystem is a mess. I'm not trying to dismiss the great work of the Twitter team.

tyrinj1120 avatar Feb 10 '20 15:02 tyrinj1120

I agree it doesn't make sense.

lukepighetti avatar Feb 13 '20 14:02 lukepighetti