on /medium/auth generates auth url, user_id, secret and on /medium/token return encoded token
Opened this issue · 0 comments
hyzhak commented
Should return auth_url
and auth_id
.
auth_id
must be used to get user's token
.
Possible policy problem - any third party fellow could get any token
by guessing auth_id
. So our roll is to make this chance extremely low.
🚓
- encode token with
secret
which we return to user - expose of
token
should be expired for example 1-2 minutes - space of possible values of
auth_id
should be extremely large and hard to guess