apiSecret in URL #3
Description
Thanks for adding in the private endpoints, I was about to start writing my own solution until I found this. I would recommend updating the readme to contain the private endpoints as well since you wouldn't know they are there unless you look into the BittrexAPI class.
Is it necessary to have the apiSecret exposed in the URL? Doing so would allow anyone to see both the apiKey and apiSecret thus giving them the ability sign illegitimate requests.
Removing the secret from the getObjectParams function prevents the secret from being written in the URL and still allows the request to be signed using the secret.
getObjectParams(params) {
let api = {
apikey: this.apiKey,
//apiSecret: this.apiSecret,
nonce: Bittrex.getNonce()
};
return Object.assign(api, params);
}