• dan@upvote.au
    link
    fedilink
    English
    arrow-up
    51
    ·
    edit-2
    3 months ago

    lol at the DO NOT TRUST keys.

    I’ve learnt over the years that you have to make the example code fail to compile or print out huge user-visible warnings or something like that, otherwise people can and will use it as-is in production, hard-coded keys and all.

    Even if you make it print out a huge message, some manufacturers will just comment that out while keeping all the other dummy example data.

    I’ve seen several production OAuth/OpenID servers that accepted an app ID and secret from a “how to set up an OAuth server” tutorial, and in one case the company was using that app ID for all their production services.