We have an application that will allow users to upload replay videos for other users to view. These are short videos recorded of the gameplay in the app.
Cloudinary looks like a great solution for this, but the problem is that at some point the client secret needs to be used to make an upload from the user app.
I don't see a way we can make this 100% secure (i.e., prevent discovery of the client secret).
Is this just a fundamental problem that is only solvable by having a proxy server make the upload to Cloudinary using the client secret?
EDIT: Reading the documentation further, it looks like unsigned uploads would allow the app to upload without the client secret.
Can we configure rate limiting on a per-connection basis to make sure this doesn't get abused?
Also, if the app wants to get a list of all the video URLs matching some timeframe or tag, can it do so without providing the client secret to the API?
Post is closed for comments.