I was just looking into creating a plugin for netatmo and was running into one problem.
To acces the netatmo api you need to create an “app” which then provides a “client id” and a “client secret”. These are then used for authentication. These should not be visible in the code of your application in a “human readable” format.
This definitely makes sense so that no malicious software will use your API key and your app/acces will be disabled.
Normally I would encrypt them in the code which would then be compiled to binary which should be sufficient enough to protect it reasonably (I know it still is not secure but it would take some work to extract it)
I know there is a way tho have native modules in node but as far as I know the source code would need to be provided in “clear text”.
Does anybody here have any ideas how I could securely store the “client secret” in the application?
Sure one option would be for now that anybody who wants to use it has to create his own app in the netatmo account but I don’t know how long netatmo will allow this.
In addition I think this is a problem for many APIs which we wan’t to build plugins for.
It also seems to be a “problem” that you can allways alter the node.js code so that you do some console.log of the parameters when the api call is done.