I am trying to use OAuth with a React (frontend) and Meteor (server) project. The service I'm trying to use OAuth is not one of the popular widespread (i.e.Google, Facebook), so I'm having trouble figuring out how to do this.
Meteor maintains a secure settings.json server file that stores your api keys and application secrets, which I would presumably use to authenticate the client. I just donβt understand how.
I found this package https://www.npmjs.com/package/react-oauth-flow , and the OAuth request submission component looks like this:
<OauthSender authorizeUrl="https://www.dropbox.com/oauth2/authorize" clientId={process.env.CLIENT_ID} redirectUri="https://www.yourapp.com/auth/dropbox" state={{ from: '/settings' }} render={({ url }) => <a href={url}>Connect to Dropbox</a>} />
Now I donβt understand how {process.env.CLIENT_ID} can be safely stored / retrieved since the entire application is accessible to the client? Therefore, I could not use something like Meteor.settings.CLIENT_ID because the application client identifier is not available for the responsive application.
The same goes for the OauthReceiver component:
<OauthReceiver tokenUrl="https://api.dropbox.com/oauth2/token" clientId={process.env.CLIENT_ID} clientSecret={process.env.CLIENT_SECRET} redirectUri="https://www.yourapp.com/auth/dropbox" onAuthSuccess={this.handleSuccess} onAuthError={this.handleError} render={({ processing, state, error }) => ( <div> {processing && <p>Authorizing now...</p>} {error && ( <p className="error">An error occured: {error.message}</p> )} </div> )} />
How is {process.env.CLIENT_SECRET} retrieved? Again, you cannot use Meteor.settings.CLIENT_SECRET, since it is available only for the server, and the component is rendered on the client side.
I feel that this is a problem of conceptual understanding on my part, and if someone could explain it to me, I would be very grateful.