New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow users to import basic account information from GitHub. #80

Merged
merged 1 commit into from Sep 5, 2017

Conversation

Projects
None yet
2 participants
@jankeromnes
Member

jankeromnes commented Jun 20, 2017

When enabling the GitHub integration, the following profile data is imported:

  • Username (public)
  • Full name (public)
  • SSH public keys (public)

We also plan to import verified email addresses in the future in order to
de-duplicate user accounts.

@jankeromnes

This comment has been minimized.

Show comment
Hide comment
@jankeromnes

jankeromnes Jun 20, 2017

Member

@bnjbvr In this commit, I introduce:

  • A /lib/github.js module implementing GitHub's API.
  • An /admin/integrations/ panel to set up the GitHub integration for the whole website (with Client ID and Secret)
  • A "User credentials" API to manage any saved user credentials (it only supports deleting github and cloud9 credentials, but in the future we'll add/remove SSH keys with it)
  • A "Connect" button in /settings/integrations/ to import various user info from GitHub (username, public SSH keys, also real name if you didn't specify it in /settings/account/)
  • A "Disconnect" button to destroy any imported data (except real name because it's managed in /settings/account/)

A few notes:

  • Although it would take just a few more lines, we don't support "Sign in with GitHub" yet, because the Alpha version is still invite-only (no need to take users through an OAuth2 round-trip only to tell them "Sorry you need an invite").
  • The accessToken we get from GitHub will also help configure user containers for GitHub contributions in the future (we could pre-configure the hub utility, e.g. by pre-generating a GitHub Personal Access Token)

Could you please review this commit?

Member

jankeromnes commented Jun 20, 2017

@bnjbvr In this commit, I introduce:

  • A /lib/github.js module implementing GitHub's API.
  • An /admin/integrations/ panel to set up the GitHub integration for the whole website (with Client ID and Secret)
  • A "User credentials" API to manage any saved user credentials (it only supports deleting github and cloud9 credentials, but in the future we'll add/remove SSH keys with it)
  • A "Connect" button in /settings/integrations/ to import various user info from GitHub (username, public SSH keys, also real name if you didn't specify it in /settings/account/)
  • A "Disconnect" button to destroy any imported data (except real name because it's managed in /settings/account/)

A few notes:

  • Although it would take just a few more lines, we don't support "Sign in with GitHub" yet, because the Alpha version is still invite-only (no need to take users through an OAuth2 round-trip only to tell them "Sorry you need an invite").
  • The accessToken we get from GitHub will also help configure user containers for GitHub contributions in the future (we could pre-configure the hub utility, e.g. by pre-generating a GitHub Personal Access Token)

Could you please review this commit?

@jankeromnes jankeromnes requested a review from bnjbvr Jun 20, 2017

@bnjbvr

bnjbvr approved these changes Jul 7, 2017

A few comments, looks great overall. I don't see any major flaw, so r+. Please make sure to have security people review this too. It was a fun pull request!

Show outdated Hide outdated api/user-api.js
Show outdated Hide outdated lib/github.js
const db = require('./db');
const oauth2 = require('./oauth2');
load();

This comment has been minimized.

@bnjbvr

bnjbvr Jul 7, 2017

Contributor

nit: call before definition

@bnjbvr

bnjbvr Jul 7, 2017

Contributor

nit: call before definition

This comment has been minimized.

@jankeromnes

jankeromnes Sep 5, 2017

Member

It's a common pattern in this code base to leverage hoisting in order to make it obvious when a module runs some code directly on load.

@jankeromnes

jankeromnes Sep 5, 2017

Member

It's a common pattern in this code base to leverage hoisting in order to make it obvious when a module runs some code directly on load.

Show outdated Hide outdated templates/settings-integrations.html
Show outdated Hide outdated lib/users.js
Show outdated Hide outdated lib/users.js
Show outdated Hide outdated lib/github.js
return;
}
delete oauth2States[session.id];

This comment has been minimized.

@bnjbvr

bnjbvr Jul 7, 2017

Contributor

Don't you want to delete the oauth2 state in the error case too?

@bnjbvr

bnjbvr Jul 7, 2017

Contributor

Don't you want to delete the oauth2 state in the error case too?

This comment has been minimized.

@jankeromnes

jankeromnes Sep 4, 2017

Member

The purpose of an OAuth2 state parameter is to prevent a repeated successful authentication from producing infinite access tokens (otherwise an attacker could simply listen for a successful OAuth2 handshake, and repeat the packets while stealing the output). Hence, it's not necessary to delete the OAuth2 state when an error happens, but only when a valid OAuth2 access token is produced from it.

@jankeromnes

jankeromnes Sep 4, 2017

Member

The purpose of an OAuth2 state parameter is to prevent a repeated successful authentication from producing infinite access tokens (otherwise an attacker could simply listen for a successful OAuth2 handshake, and repeat the packets while stealing the output). Hence, it's not necessary to delete the OAuth2 state when an error happens, but only when a valid OAuth2 access token is produced from it.

exports.getAuthorizationUrl = function (request, callback) {
const { session } = request;
if (!session || !session.id) {
callback(new Error('Request has no associated session'));

This comment has been minimized.

@bnjbvr

bnjbvr Jul 7, 2017

Contributor

nit: sessions (in English, everything which is not one is plural)

@bnjbvr

bnjbvr Jul 7, 2017

Contributor

nit: sessions (in English, everything which is not one is plural)

This comment has been minimized.

@jankeromnes

jankeromnes Aug 30, 2017

Member

There can be at most one session per request (but there can be several requests per session), so the singular should be correct.

@jankeromnes

jankeromnes Aug 30, 2017

Member

There can be at most one session per request (but there can be several requests per session), so the singular should be correct.

This comment has been minimized.

@jankeromnes

jankeromnes Aug 30, 2017

Member

Ah wait, I see what you mean, but I think this is more like Request has not one session associated to it as opposed to Request has zero sessions associated to it. Hence I believe the current form is correct.

@jankeromnes

jankeromnes Aug 30, 2017

Member

Ah wait, I see what you mean, but I think this is more like Request has not one session associated to it as opposed to Request has zero sessions associated to it. Hence I believe the current form is correct.

Show outdated Hide outdated app.js
@jankeromnes

This comment has been minimized.

Show comment
Hide comment
@jankeromnes

jankeromnes Jul 7, 2017

Member

🎉🎉🎉🎆🎆🎆🎆🎆🎆🎉🎉🎉

Thanks a lot for doing this review!! 😄👍 I owe you one.

Member

jankeromnes commented Jul 7, 2017

🎉🎉🎉🎆🎆🎆🎆🎆🎆🎉🎉🎉

Thanks a lot for doing this review!! 😄👍 I owe you one.

Show outdated Hide outdated lib/github.js

@jankeromnes jankeromnes self-assigned this Jul 13, 2017

Allow users to import basic account information from GitHub.
When enabling the GitHub integration, the following profile data is imported:
- Username (public)
- Full name (public)
- SSH public keys (public)

We also plan to import verified email addresses in the future in order to
de-duplicate user accounts.

If any of this data collection seem unreasonable to you, please file an issue:
https://github.com/janitortechnology/janitor/issues/new

@jankeromnes jankeromnes merged commit 033f6e7 into JanitorTechnology:master Sep 5, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@jankeromnes jankeromnes deleted the jankeromnes:github-integration branch Sep 5, 2017

@jankeromnes

This comment has been minimized.

Show comment
Hide comment
@jankeromnes

jankeromnes Sep 5, 2017

Member

Woot! 🎆

Member

jankeromnes commented Sep 5, 2017

Woot! 🎆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment