Question: Why the Readme says that you should not generate your secret key on the client ?

Question

Question: Why the Readme says that you should not generate your secret key on the client ?

ou2s opened this issue 3 years ago · 1 comments

On the Readme I can read the following thing:

You SHOULD NOT hard-code or generate your secret key anywhere on the client, as this risks exposing the key since the JavaScript source is ultimately accessible to the end-user.

I totally understand that you should not hard-code it or store on it on the JS side but concerning the generation part I have trouble understanding why it's not a good practice.

What about generating a random uuid using this lib and store it on the keychain ? It seems secure enough for me but I may be missing something.

PS: thanks for the lib @maxdeviant, it was very helpful.

Answer 1 · 2022-07-29T02:12:30.000Z

What about generating a random uuid using this lib and store it on the keychain ? It seems secure enough for me but I may be missing something.

I think when I originally wrote it the intent was to counsel against generating a key deterministically on the client.

Generating a random UUID on the client seems like it might be okay.

At the end of the day, it's ultimately your decision for what you want to do in your app. I'm just providing some guidelines 🙂