0

I have integrated my react native app and laravel web app with laravel passport.

All my secret keys are managed server side (pusher, stripe payment, etc...) expect for the secret key from laravel passport which is needed for the mobile app to authenticate and talk to my website.

I understand that no secret key should be in the code but I have no idea how to manage differently...

Any suggestion? How do you manage this situation?

Thank you.

sbkl
  • 2,231
  • 2
  • 22
  • 28
  • Why do you need a secret key to authenticate? Shouldn't you be requesting an access token for each session? – Devon Bessemer Apr 21 '18 at 00:06
  • It’s the client secret key related to the app so laravel recognise which app is making the request. laravel passport is managed with oauth2 server behind the scene. – sbkl Apr 21 '18 at 00:10
  • Please check these posts maybe they will be helpful https://stackoverflow.com/questions/43534392/how-to-handle-client-id-and-client-secret-for-password-grant-tokens-in-passport/49950829#49950829, https://stackoverflow.com/questions/39436509/laravel-passport-scopes/48088463#48088463 – Bart Apr 21 '18 at 00:25
  • You may want to look into implicit grants – Devon Bessemer Apr 21 '18 at 00:27
  • @sbkl did you find a way to do this? – Daniel R. May 22 '20 at 19:36
  • @MattE. Using react native dotenv not to store directly the keys in the code. However, I'm no expert and cannot say this is making it "secure". – sbkl May 25 '20 at 00:31

0 Answers0