0

I have an simple web app I'm testing on localhost (using http-server) in which I'm trying to authorise it following the GitHub tutorial.

I was able to redirect to GitHub page so the user can login there and get the temporary code returned from GitHub as query parameter.

Yet I can't get auth token because every time I send a POST request with all the required data I'm getting CORB error.

The code I'm using to do that:

const getGitHubToken = async code => {
    return await fetch(authData.accessTokenURL, {
        method: 'POST',
        body: {
            client_id: authData.client_id,
            client_secret: authData.client_secret,
            code
        },
        headers: {
            'Accept': 'application/json',
            'Content-Type': 'application/json'
        }
    });
};

So my questions are:

  • why isn't it working
  • is it safe to keep client_id and client_secret on client side
  • any suggestions if it's good idea to apply this approach when my aim is to create an app able to query GitHub API (general stats, public repos), how can I do it better?
Hubert Siwkin
  • 385
  • 3
  • 16
  • 3
    It is not safe to keep your client_id and client_secret in plain text at clientside, any user can steal it and create an application, pretending it's your application. Furthermore this malicious application would also automatically have access to everything your application has access to. – Pieter De Clercq Aug 13 '18 at 16:17
  • Seems like you are not passing the `state` required with this request – Aman B Aug 13 '18 at 16:26
  • @AmanB As far as I can see `state` is optional, only `client_id`, `client_secret` and `code` are required. – Hubert Siwkin Aug 13 '18 at 16:27

0 Answers0