BAU: Add some security checks

- Fourth wall shouldn't be used over HTTP.
- Fourth wall shouldn't use an access token which has unnecessary
permissions.
- Add some documentation about security in the readme.

solo @tlwr

README.markdown

@@ -102,3 +102,26 @@ An example enterprise repository.
 To load repositories from a team on an enterprise instance you must prefix the
 hostname to the team url parameter as with the token `<hostname>_team` (or
 `<hostname>_team[]` for multiple teams).
+
+## Security
+
+The token used to access Github is visible in the URL bar of the browser used
+to view Fourth Wall. This is potentially quite dangerous and you should be very
+careful about Github access tokens. There are some pre-flight checks to help
+with security but you should, at all times, be vigilant and discliplined.
+
+Required scopes:
+
+- `repo:status`
+- `repo:deployment`
+
+Optional scopes:
+
+- `read:org` is required if you are using the `team` query parameter mentioned above.
+
+Any other allowed scopes on the token will cause Fourth Wall to be unusable
+(due to an alert) until the token scopes have been fixed. This is a feature not a bug.
+
+Additionally there is a pre-flight check which checks that if Fourth Wall is
+being accessed remotely using HTTP. If Fourth Wall is being viewed remotely,
+please always use HTTPS.

index.html

@@ -15,6 +15,7 @@
 <script src="javascript/vendor/underscore-1.5.1.min.js" type="text/javascript"></script>
 <script src="javascript/vendor/backbone-1.0.0.min.js" type="text/javascript"></script>
 <script src="javascript/core.js" type="text/javascript"></script>
+<script src="javascript/preflight.js" type="text/javascript"></script>
 <script src="javascript/fetch-repos.js" type="text/javascript"></script>
 
 <script src="javascript/comment.js" type="text/javascript" charset="utf-8"></script>

index.js

@@ -1,4 +1,6 @@
 $(document).ready(function() {
+    runPreFlightChecks();
+
     var repos = new FourthWall.Repos();
     var items = new FourthWall.ListItems([], {
         repos: repos

javascript/preflight.js

@@ -0,0 +1,46 @@
+function runPreFlightChecks() {
+  const isHttp      = window.location.protocol == 'http:',
+        isLocalhost = window.location.hostname == 'localhost'
+        isUnsafe    = !(isHttp && isLocalhost);
+
+  if (isUnsafe) {
+    const isHttpMessage = [
+      'This page is running over the web over HTTP.',
+      'You should use HTTPS and rotate your access token.',
+    ].join(' ');
+    alert(isHttpMessage);
+  }
+
+  // We will:
+  // - Make a request to the github rate limit endpoint
+  //   (This will not affect the rate limit)
+  // - Check what scopes we have access to
+  const token             = new FourthWall.getQueryVariables().token,
+        ghUrl             = 'https://api.github.com/rate_limit',
+        authGhUrl         = ghUrl + '?access_token=' + token;
+
+  fetch(authGhUrl)
+    .then(function (response) { return response.headers; })
+    .then(function (headers)  { return headers.get('x-oauth-scopes')  })
+    .then(function (scopes)   { return scopes.split(', '); })
+    .then(function (scopes)   {
+      const allowedScopes = ['repo:status', 'repo_deployment', 'read:org'];
+      let   badScopes = scopes.filter(function(scope) {
+        return allowedScopes.indexOf(scope) < 0;
+      });
+
+      if (badScopes.length > 0) {
+        let badScopesString = badScopes.join(' '),
+            badScopesMessage = [
+              'You have the following unnecessary scopes: <',
+              badScopesString,
+              '>; these scopes should be removed.',
+              'Clicking accept will reload this page.',
+              'Reloading the page will show this message unless the scopes are correct.',
+            ].join(' ');
+
+        alert(badScopesMessage);
+        window.location.reload(true);
+      }
+    });
+}