include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

If attackers gain access to your WakaTime OAuth token or secret, they can potentially use it to make unauthorized requests to the WakaTime API on your behalf.

=== What is the potential impact?

Attackers exploiting leaked WakaTime OAuth tokens or secrets can potentially access sensitive information, modify data, or perform actions on behalf of the user without their consent. The exact capabilities of the attackers will depend on the authorizations the corresponding application has been granted.

Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
from rauth import OAuth2Service

service = OAuth2Service(
    client_id='d130uKF73fueZSCM9tUodIFN',
    client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant
    name='wakatime',
    authorize_url='https://wakatime.com/oauth/authorize',
    access_token_url='https://wakatime.com/oauth/token',
    base_url='https://wakatime.com/api/v1/')
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
import os
from rauth import OAuth2Service

service = OAuth2Service(
    client_id=os.environ['WAKA_CLIENT_ID'],
    client_secret=os.environ['WAKA_CLIENT_SECRET'],
    name='wakatime',
    authorize_url='https://wakatime.com/oauth/authorize',
    access_token_url='https://wakatime.com/oauth/token',
    base_url='https://wakatime.com/api/v1/')
----

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

=== Documentation

WakaTime API Documentation - https://wakatime.com/developers#authentication[WakaTime API Authenticationb]

include::../../../shared_content/secrets/resources/standards.adoc[]