Insecure amazon client/secret #11
Description
Hi,
I noticed that you plan to embed Amazon's client id and secret in the binary. While this is convinient, this is also insecure.
wmn@cratos ~/code/src/github.com/sgeb/acdcli [master] ± % ACD_API_CLIENTID="amzn1.application-oa2-client.this_is_a_hash" ACD_API_SECRET="this_is_a_secret" make dev
==> Getting dependencies...
>> Getting package github.com/sgeb/go-acd
>> Getting package golang.org/x/oauth2
>> Getting package github.com/mitchellh/cli
>> Getting package github.com/dustin/go-humanize
>> Getting package github.com/mitchellh/gox
package github.com/mitchellh/cli
imports golang.org/x/crypto/ssh/terminal: golang.org/x/crypto is a custom import path for https://go.googlesource.com/crypto, but /Users/wmn/code/src/golang.org/x/crypto is checked out from https://code.google.com/p/go.crypto
>> Setting github.com/dustin/go-humanize to version
>> Setting golang.org/x/oauth2 to version
>> Setting github.com/mitchellh/cli to version
>> Setting github.com/sgeb/go-acd to version
>> Setting github.com/mitchellh/gox to version
>> Building package github.com/sgeb/go-acd
>> Building package golang.org/x/oauth2
>> Building package github.com/mitchellh/cli
>> Building package github.com/dustin/go-humanize
>> Building package github.com/mitchellh/gox
>> All Done
==> Removing old directory...
==> Building...
Number of parallel builds: 8
--> darwin/amd64: github.com/sgeb/acdcli/acdcli
==> Results:
total 15024
-rwxr-xr-x 1 wmn staff 7.3M May 22 10:25 acdcli
wmn@cratos ~/code/src/github.com/sgeb/acdcli [master] ± % strings ~/code/bin/acdcli| grep 'a_hash\|a_secret'
this_is_a_secret
amzn1.application-oa2-client.this_is_a_hash
Although the secret does not have a known guessable prefix, it is always 64 chars which is easy guessable.
Take a look at https://github.com/caseymrm/drivesink, they have the client/secret hosted on a website and the users only get their access token and refresh token.