Hi guys, i’m having a doubt building a SPA in React.
I managed to do the authorization client side only but now to get an access token i have to use the client secret.
I wanted to avoid to have to run a node js server, so my question is:
If i store the client secret on the client is bad right?
cause i managed to get the token back sending my credentials through a post request but i don’t think sending the client secret through the client is the best way.
thanks.
You are right, not only it is not a good idea but it is also against the terms of service. You must keep your secret protected at all times. You’ll have to use some kind of back-end server to manage tokens.
I wrote an open source “proxy” in Ruby/Sinatra to help out people who doesn’t want to write a lot of back-end code. Writing your own implementation in NodeJS is not too hard either if you prefer. There are some Community Created Libraries & Resources to help you with that.
If you wanna give the proxy a try you can easily deploy it to Heroku using your free tier by clicking the “Deploy to Heroku” button. https://gitlab.com/francisschiavo/blizzard-api-proxy
I’m not aware of any safe alternative without the need of a back-end server, you might wanna ask around on the Community Discord Server to see if there is something.
Hi Schiller, thanks for the reply.
I know how to code the server part in node js, but i used also google firebase and is serverless that i love it.
Maybe i’ll use a cloud function to let the user authorize and get the token with an express server.
I was just hoping to do everything full client.
i’ll check your proxy btw.
thanks!
That proxy is intended to help out front-end developers, it is probably not an ideal option for your use case. As I said try asking around the discord, you might even find someone who solved the same problem, there are lots of nice devs there and you sure will get some help. 