Hi all,
Say if I wanted to implement some service which requires OAuth2 authentication, how would I go about hiding the secret? The client ID, afaik, is not too important.
For example in the LastFM plugin, I require people to submit their own, but that isn’t good practice. I can’t write C++, so writing code that isn’t easily decompiled is difficult.
Is there a shortcut I can take, or should I learn C++, compile a binary and use that binary instead of javascript files to fetch the token (and maybe more). Obviously this would still make it susceptible to MitM attacks (e.g. in the case of proxies) I presume.
Or maybe a single binary can be written with all client ID’s and secrets, just for authenticating services for Volumio. That way plugin makers only need to reference that binary and call it’s public functions (with credentials); whereas that binary will make the call to the API providing the plugin with the token.
Just thinking out loud here and hoping you will contribute to the discussion In any case, storing the secrets in the easily readable javascript files is bad practice, even obfuscated.
Thanks and happy Easter all!