[okfn-labs] GetMyGist changes

Nick Stenning nick at whiteink.com
Wed May 23 11:25:16 UTC 2012


Hi Duke,

This is great, and the idea of using the Gist API as a code/whatever
storage platform is a great one. James Casbon played with the same
solution for early versions of notebook.js
(https://github.com/jamescasbon/notebook.js)

On 21/05/2012 12:19, Rufus Pollock wrote:
>
> In addition, thanks entirely to Duke we always have write support via
> OAuth (unfortunately this requires a small oauth proxy) so we have a
> full-on mini-gist editor.

Unfortunately the proxy is a bit *too* minimal. Specifically I note that
you are storing the OAuth client secret clientside:

  https://github.com/OKFN-BR/GetMyGist/blob/gh-pages/github.js

This is not a good idea, as it means that I can easily disable your
service by using your credentials to exceed the API rate limit.

Also, while it might not be in violation of GitHub's ToS, it's certainly
not good practice to share the client secret. See the second paragraph here:

  http://developer.github.com/v3/oauth/

The solution is to store this information server-side (in the proxy) and
to implement some kind of session management for clients of GetMyGist.

Best wishes, and not trying to be a downer,
Nick

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.okfn.org/pipermail/okfn-labs/attachments/20120523/9416ae41/attachment-0002.sig>


More information about the okfn-labs mailing list