Like most modern application I have a front end (Vue) + backend (Django) that powers my GitHub App. Auth flow is simple. I direct users to GitHub OAuth and generate
code received from login callback.
access_token is stored in backend. As usual, front end makes some API calls to backend which in turn makes some calls to the GitHub APIs. Some of these calls are just a passthrough to GitHub. I’m wondering if it’s an acceptable security practice to store the token in front end (either as cookie or local storage) and make calls directly from front end to GitHub APIs.
My hunch is it’s acceptable since the token is specific to that user only. I’m planning to apply for GitHub marketplace listing and the app needs to go through GH security review from what I understand. It would be great if someone from GitHub can chime in.