-
Notifications
You must be signed in to change notification settings - Fork 116
Expand file tree
/
Copy path.env.example
More file actions
46 lines (42 loc) · 2.1 KB
/
.env.example
File metadata and controls
46 lines (42 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# OAuth Client IDs for Calendar Integration (Device Flow)
# These are PUBLIC identifiers - safe to bundle in plugin code
# ============================================================================
# IMPORTANT: Device Flow Security Model
# ============================================================================
#
# Device Flow (RFC 8628) only requires a PUBLIC client_id.
# NO client_secret is used or bundled (security requirement).
#
# How it works:
# 1. Plugin shows user a code (e.g., "ABCD-1234")
# 2. User visits google.com/device and enters code
# 3. Plugin polls Google for authorization result
# 4. No secrets needed anywhere in this flow!
#
# License requirement:
# - Users with valid TaskNotes license: Use built-in client_id (easy setup)
# - Users without license: Must provide their own OAuth credentials in settings
#
# ============================================================================
# Google Calendar OAuth Client ID (Public identifier for Device Flow)
# Get this from: https://console.cloud.google.com/apis/credentials
# Application type: "Desktop app" or "TVs and Limited Input devices"
GOOGLE_OAUTH_CLIENT_ID=your-client-id.apps.googleusercontent.com
# Microsoft OAuth Client ID (Public identifier for Device Flow)
# Get this from: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps
# Platform: "Mobile and desktop applications"
# Redirect URI: Not needed for Device Flow
MICROSOFT_OAUTH_CLIENT_ID=your-microsoft-client-id
# ============================================================================
# DO NOT ADD client_secret HERE
# ============================================================================
# Secrets are NOT bundled into the plugin for security reasons.
# See OAUTH_CALENDAR_ISSUES.md for detailed security analysis.
#
# Device Flow doesn't require secrets, making this approach both:
# - Secure (no secrets in code)
# - Simple (users just enter license key)
#
# For development/testing: Create your own OAuth apps following:
# docs/planning/oauth-setup-guide.md
# ============================================================================