New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Github OAuth permissions too demanding #1790

Closed
joshsouza opened this Issue Apr 18, 2018 · 4 comments

Comments

Projects
3 participants
@joshsouza

joshsouza commented Apr 18, 2018

Description

When enabling the Github OAuth integration, Portus requests:

  • Read org and team membership (Sensible)
  • Update all user data (Overly permissive)

Can we either get documentation on why Portus needs to have access to write user data (this can include things like SSH keys, which is a potential security problem), or can it be adjusted to be read-only, and only use the minimum necessary for authentication?

Steps to reproduce

  1. Enable GitHub OAuth integration
  2. Log in using GitHub integration for the first time
  3. Observe the requested permissions
  • Expected behavior: I expect only read access to org/team/user data
  • Actual behavior: Write access to user data requested

Portus version: 2.3.1@a4ca664b9c30c7a464296297d1868ba301d791cf

@Vad1mo

This comment has been minimized.

Contributor

Vad1mo commented Apr 18, 2018

This is currently requested:

{ scope: "user,read:org" }

Looking at the docs
read:org | Read-only access to organization, teams, and membership. This is mandatory for providing access to only certain members in a groupd.

Regarding the user scope, we might get away with read:user or/and user:email if one or both are needed.

@joshsouza

This comment has been minimized.

joshsouza commented Apr 26, 2018

It'd be great if we could update it to just read:user and user:email. Definitely would appease our security reviewers.

mssola added a commit to mssola/Portus that referenced this issue Apr 27, 2018

devise: use a more fine-grained scope for Github
We didn't need `user`, but just `read:user` and `user:email`.

Fixes SUSE#1790

Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>

@mssola mssola added this to In progress in 2.4 Apr 27, 2018

mssola added a commit that referenced this issue Apr 27, 2018

devise: use a more fine-grained scope for Github
We didn't need `user`, but just `read:user` and `user:email`.

Fixes #1790

Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
@mssola

This comment has been minimized.

Contributor

mssola commented Apr 27, 2018

@joshsouza fixed with #1800 and cherry-picked into the v2.3 branch (we will roll out these changes into the Docker image shortly). Thanks about noticing these kinds of things 👍

@mssola mssola moved this from In progress to Done in 2.4 Apr 27, 2018

@joshsouza

This comment has been minimized.

joshsouza commented Apr 27, 2018

Thanks for the quick response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment