Advantages of XOAUTH2 in nodemailer

Question

The nodemailer module (allows to send emails in a node.js app) supports XOAUTH2 authentication against Gmail accounts. Why would one want to use this for general purpose email notifications as opposed to just specifying the user: and pass: parameters in auth? I understand that the password is then stored in plain text, but it's never propagated anywhere. Also, the XOAUTH2 method seems to require a clientSecret: parameter, which should also probably not be made public. So what are the advantages here?

Similar question: how can I include authentication information in the app without pushing it into the remote repo? Is there a way to just ignore those lines with Git?

Answer 1

Using XOAUTH is useful when you want to send e-mails on behalf of your users (eg. as if the sender would be the user, not your application) - instead of asking their passwords, you can ask them to authorize your application through the OAuth mechanism. The resulting client secrets are known only to you, valid only for accessing the e-mail of the user, nothing more and the user can revoke these client tokens any time they wish.

If you do not want to send mail on behalf your users but with your own credentials, then there is no point of using XOAUTH.