I have an app built on Electron.js which uses Gmail's Node.js API to authenticate. I have a doubt that is it safe to publish an app with my client id and secret along with the package. I know using API keys is not. Can someone guide me on the right way for this?
Marco Alka
Software Engineer, Technical Consultant & Mentor
just don't. Never trust your users. Reversing an electron app is fairly simple, and you should handle the code you deliver like a website. Even if you find ways to obscure it, there will be ways to undo it and people who will be able to follow the code. Even if you encrypt it, there are ways to intercept the decryption key.
The best solution would be to create a server, which you control. This server should expose an API, which can be queried in order to get whatever you actually want to provide from your GMail account. For example
<<<<< GET https://example.com/authenticate { "email": "some.mail@example.com" } >>>>> 200 OK { "status": "authenticated" }