Consumer key secret being shown to the user [PARSE SERVER]
Consumer key secret being shown to the user [PARSE SERVER]
I'm seeing the "authData" field in the parse server dashboard, and I saw that users can have access to my (consumer key secret) from twitter.
Here is the data I see:
[
"twitter":
"consumer_key": "XXXXYAJ",
"auth_token": "ABCDCODESAMPLEXXX87",
"screen_name": "nameUserSample",
"consumer_secret": "HEREISSHOWINGMYCONSUMERKEYSECRET",
"id": "7777777777777",
"auth_token_secret": "SECR3TAUTHTOK3N"
What are the risks of the user being able to see my consumer key secret? Can I avoid this somehow? Thank you!
This is my code to login:
bt_conectarTwitter.setCallback(new com.twitter.sdk.android.core.Callback<TwitterSession>()
@Override
public void success(Result<TwitterSession> result)
dialogLoading.showDialog(getContext());
// Do something with result, which provides a TwitterSession for making API calls
Log.i("lul", "success: " + result);
TwitterSession session = TwitterCore.getInstance().getSessionManager().getActiveSession();
TwitterAuthToken authToken = session.getAuthToken();
final String tokenUserTwitter = authToken.token;
final String secretTokenUserTwitter = authToken.secret;
final String userId = String.valueOf(session.getUserId());
final String userName = session.getUserName();
ParseTwitterUtils.logIn(userId,userName,tokenUserTwitter,secretTokenUserTwitter, new LogInCallback()
@Override
public void done(ParseUser user, ParseException err)
if (user == null)
Log.d("MyApp", "Uh oh. The user cancelled the Twitter login.");
else if (user.isNew())
newUserFromTwitter();
saveTokensTwitter(tokenUserTwitter,secretTokenUserTwitter);
Log.d("MyApp", "User signed up and logged in through Twitter!");
else
if (ParseTwitterUtils.isLinked(user))
String authToken = ParseTwitterUtils.getTwitter().getAuthToken();
String secretToken = ParseTwitterUtils.getTwitter().getAuthTokenSecret();
saveTokensTwitter(authToken,secretToken);
Log.d("MyApp", "User logged in through Twitter!");
goToMainActivity();
);
// saveTokensTwitter(tokenUserTwitter,secretTokenUserTwitter);
Log.i("lul", "success: " + authToken.token);
@Override
public void failure(com.twitter.sdk.android.core.TwitterException exception)
// Do something on failure
Log.i("lul", "fail: " + "fail");
);
And I'm using this button:
<com.twitter.sdk.android.core.identity.TwitterLoginButton
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:visibility="gone"
android:id="@+id/bt_conectarTwitter"/>
You can see the Doc's from this button here
Hello, I started by logging in with twitter, following the documentation here: docs.parseplatform.org/android/guide/#twitter-users Malicious "users" can only look at network traffic and see all the information that is linked to your account, if the user signs in with twitter, the information I showed above will be there, and can be easily read.
– Augodao Aika
Sep 13 '18 at 3:26
Read over docs.parseplatform.org/android/guide/#security , specifically, as I mentioned, implement an API layer (such as Cloud Code), that the clients actually interact with to implement your "business logic" rather than giving them straight database access.
– cricket_007
Sep 13 '18 at 3:45
If anything, storing your own Twitter SDK keys along with any user object seems like a design flaw. Those should be stored elsewhere in the database to possibly be shared by all accounts that interact with your Twitter application, but not copy amongst each user
– cricket_007
Sep 13 '18 at 3:48
The twitter SDK in the client’s require you to have the client_secret client side. So the design flaw is in the twitter SDK. How you overcome it is on your responsibility. As for the parse side, only the id and access token are required to be sent by the android SDK. The client key/secret should be configured on the server
– flovilmart
Sep 13 '18 at 23:49
0
Thanks for contributing an answer to Stack Overflow!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
How exactly did that data get there? What configurations did you add? Why are users accessing Parse directly rather than an API abstraction with your business logic?
– cricket_007
Sep 13 '18 at 3:12