Open source the project, but keep the API keys
I would like to create an open source project using the GitHub API, but I am facing a problem with my secret key in the source code. I've read from various places to never include any secret keys in the source and I agree with that. I also found a couple of vague links about authenticating through a web server instead of forcing users to purchase their own API keys.
In my opinion it will look something like this:
When it comes time to authenticate with GitHub, I would ask the user to submit a request to my server. From there, I would authenticate with GitHub using my own API keys, and after successful authentication, return the signature to the user who made the request. From that point on, they were able to communicate directly with GitHub. It's right?
If so, I would like to know a little more about this process. This is my first experience with the API, so I'm pretty new to it.
source to share
I never got an answer to this question, so I thought I would go through what I found at this time.
The main issue with openly finding a project that uses the API is revealing your client secrecy (at least in the case of GitHub, which is why I posted this question). You should never include your client secret in the source. If someone has your client secret and client ID, they can effectively impersonate your application.
So that leaves two options.
1). Start your simple server.
2). Require anyone who forces your project to get their own GitHub API keys.
I would suggest going with option 2. If you open the original application, it is no longer yours and you cannot tell what other people will do with it. So why would you want to be responsible for what some other application does when using your client id and privacy?
There is another problem here. After authenticating with GitHub and receiving the Auth Token, you need to somehow securely store this Auth Token. I didn't realize it at first, but it's basically a password. If you save the Auth token in plain text and someone retrieves it, they can access the API and get all the user data. (This uses OAuth2 and bearer tokens.)
There is really no good way to store the authentication token on the client. Which also presents another problem when trying to open source your project. Whoever is using your open source project will essentially have to use their own server for the initial authentication and then store the authentication token as well.
Just a few things to keep in mind.
source to share