Fixes #655 - Convert OAuth app to GitHub app to limit permissions we request #3629
Conversation
ksy36
changed the title
| @@ -102,7 +103,7 @@ def login(): | |||
| # manually set the referer so we know where to come back to | |||
| # when we return from GitHub | |||
| set_referer(request) | |||
| return github.authorize('public_repo') | |||
| return github.authorize() | |||
| else: | |||
There was a problem hiding this comment.
This is no longer needed as scopes are set during app creation/installation (and we don't really ask for any permissions apart from "act on your behalf").
| @@ -319,7 +320,20 @@ def create_issue(): | |||
| url_for('show_issue', number=json_response.get('number'))) | |||
| # Authenticated reporting | |||
| if form.get('submit_type') == 'github-auth-report': | |||
| if g.user: # If you're already authed, submit the bug. | |||
| if g.user: | |||
There was a problem hiding this comment.
This is to handle a case in the future when a user revokes a token, but is still logged in on webcompat.com and tries to submit an issue (not required for this migration to GitHub apps as the plan is to invalidate sessions to log out users, but nice to handle this exception).
|
r? @karlcow |
| @@ -20,6 +20,7 @@ | |||
| from flask import session | |||
| from flask import url_for | |||
| from flask_firehose import push | |||
| from flask_github import GitHubError | |||
There was a problem hiding this comment.
Thoughts:
I wonder if this project is still maintained.
https://github.com/cenkalti/github-flask
Last PR on it was in 2020. and it is said to be compatible with Python 3.4
But I don't have any ideas without researching. This is not related to this PR.
There was a problem hiding this comment.
I was thinking that too. We can revisit the use of this package in the near future. There are two alternatives that I found, https://github.com/singingwolfboy/flask-dance and authlib (https://docs.authlib.org/en/latest/client/flask.html#flask-client)
|
Nice work @ksy36! |
|
Thanks! |
I've created 3 GitHub apps, for production, staging and local (similarly to OAuth apps we have currently) and installed them on webcompat account. Each app has an access only to a specific repository (
web-bugsfor production app andwebcompat-testsfor staging and local).The apps don't have any permissions apart from read and write access to issues of the repository where they're installed AND they request permission from users to act on their behalf through OAuth (again only on the repository where the app is installed). So the OAuth token that the app receives is valid only for a specific interaction (filing issues on
web-bugs/webcompat-testsin our case).There is an explanation of the process in https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/authorizing-github-apps#to-what-extent-can-a-github-app-know-which-resources-you-can-access--and-act-on-your-behalf
And this article was helpful too https://tyers.io/posts/4-github-apps (Github app vs OAuth app section).
The changes that will need to be made:
GITHUB_CLIENT_IDandGITHUB_CLIENT_SECRETon the server to the one from GitHub app.SECRET_KEYon the server to invalidate existing sessions / logout users. This is needed so users don't try to submit issues with a token for the old OAuth app.When they log in again, they will be prompted to give access to the new GitHub app.