2👍
Option #1 isn’t enough, but you do need to send the response to the server, and you don’t need to do #2.
If you just went with your first option and didn’t do any server-side validation of the response, they could easily mock the response that you would’ve forwarded to the backend. Remember (ignoring firewalls) the user can send anything they want to your server backend bypassing all client-side validation.
What you need to do is verify that the response your server receives from the frontend, is valid, by using Digits API from your backend. See the documentation:
From your web server, over SSL, you can use this response to securely request the userID, phone number, and oAuth tokens of the Digits user. With this approach, there is no need to configure OAuth signing, or configure and host a callback url for Digits.
As additional security measures, you will want to on your webhost:
- Validate the oauth_consumer_key header value matches your oauth consumer key, to ensure the user is logging into your site
- Verify the X-Auth-Service-Provider header, by parsing the uri and asserting the domain is api.twitter.com or www.digits.com, to ensure you call Twitter.
- Validate the response from the verify_credentials call to ensure the user is successfully logged in