Security issue in Oauth2 flow

[antoinechalifour]

Right now we are doing the whole Oauth2 flow on the back end (this project), and then redirecting to ANY client with the access token and refresh token in the URL.

As of now, any application can use our back end to authenticate with our Google App. This should be fixed asap by :

• making the initial request from the FRONT END
• redirecting to the front end and sending the Google auth Code to our back end
• the rest does not change