[okfn-labs] GetMyGist changes

Wed May 23 15:36:58 UTC 2012

Hi Nick,

I thought many times about it,
I will fix this, like you said: moving the api keys to proxy server,
I wanted use this server for other projects, but I believe the better
solution is use this proxy only for GetMyGist, if I need use a proxy to
github again I fork this proxy

Thanks,
Duke

On Wed, May 23, 2012 at 8:25 AM, Nick Stenning <nick at whiteink.com> wrote:

> Hi Duke,
>
> This is great, and the idea of using the Gist API as a code/whatever
> storage platform is a great one. James Casbon played with the same
> solution for early versions of notebook.js
> (https://github.com/jamescasbon/notebook.js)
>
> On 21/05/2012 12:19, Rufus Pollock wrote:
> >
> > In addition, thanks entirely to Duke we always have write support via
> > OAuth (unfortunately this requires a small oauth proxy) so we have a
> > full-on mini-gist editor.
>
> Unfortunately the proxy is a bit *too* minimal. Specifically I note that
> you are storing the OAuth client secret clientside:
>
>  https://github.com/OKFN-BR/GetMyGist/blob/gh-pages/github.js
>
> This is not a good idea, as it means that I can easily disable your
> service by using your credentials to exceed the API rate limit.
>
> Also, while it might not be in violation of GitHub's ToS, it's certainly
> not good practice to share the client secret. See the second paragraph
> here:
>
>  http://developer.github.com/v3/oauth/
>
> The solution is to store this information server-side (in the proxy) and
> to implement some kind of session management for clients of GetMyGist.
>
> Best wishes, and not trying to be a downer,
> Nick
>
>
> _______________________________________________
> okfn-labs mailing list
> okfn-labs at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/okfn-labs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/okfn-labs/attachments/20120523/6017bb59/attachment-0002.html>