I have a file hierarchy that gets files and folders from one of the users hub. All of these calls are on server side. Can these calls reside on the client side and still remain secure? None of these calls have my client secret from my Forge application. To clarify can you answer what calls can be client or server sided and still be 100% secure.
Get 3 legged auth(exposes client secret) - secure or not on client side
Get hubs - secure or not on client side
Get projects - secure or not on client side
Get files in folders - secure or not on client side
Get versions of files - secure or not on client side
Download files - secure or not on client side
As you can read in this article: https://developer.autodesk.com/en/docs/oauth/v2/overview/scopes/ Autodesk says about the scopes that on client side only the scope viewables:read should be available.
"Because this means that the token is exposed on the client-side, it is important to make sure that the token is restricted for Viewer calls to the viewables:read scope, which limits access to the end user’s viewable output files (SVF, PNG, etc). This is particularly important in a two-legged context, where a malicious end user could use an unscoped token to take actions across the platform on the developer’s behalf and compromise the developer’s data."
I don't know what kind of application you are building but you have to ask yourself what your users are able to do with the scopes you give them.
Since you give scopes on your whole account and not on specific buckets you also have ask yourself if clients who have access to folder "a" also can see the content of folder "b".