Limit required access rights

[jugglinmike]

@jasonm I don't have a deployed version of this application running, so I haven't been able to test this. Would you mind manually verifying that it works? Sorry, I know it's kind of a hassle, but I can't think of an automated way to ensure this actually works.

Commit message:

When registering a new repository, only request permission for those
actions required by this application. This includes:

• user:email - Grants read access to a user’s email addresses.
• repo:status - Grants read/write access to public and private
  repository commit statuses. This scope is only necessary to grant
  other users or services access to private repository commit statuses
  without granting access to the code.
• admin:repo_hook - Grants read, write, ping, and delete access to
  hooks in public or private repositories.
• admin:org_hook - Grants read, write, ping, and delete access to
  organization hooks. Note: OAuth tokens will only be able to
  perform these actions on organization hooks which were created by
  the OAuth application. Personal access tokens will only be able to
  perform these actions on organization hooks created by a user.
• read:org - Read-only access to organization, teams, and
  membership.

[1]

...and is facilitated by the OmniAuth Github gem:

Scopes

GitHub API v3 lets you set scopes to provide granular access to
different types of data:

use OmniAuth::Builder do
  provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'], scope: "user,repo,gist"
end

[2]

[1] GitHub API Documentation - OAuth: Scopes
https://developer.github.com/v3/oauth/#scopes
[2] OmniAuth-Github gem documentation
https://github.com/intridea/omniauth-github#scopes

[jasonm]

Looks reasonable, I'm hoping to get a free evening soon to verify against a live server

[jugglinmike]

Great! Thanks for you help :)

[jugglinmike]

@jasonm I hate to bug you about this because I know it's a bit of a hassle, but it's the last piece we need to start using CLAHub for my project

[jasonm]

Hey @jugglinmike thanks for the ping.

I spun up https://clahub-staging.herokuapp.com and tested:

• Signature-only ("limited") scoped auth for a new user
• Upgrading signature-only ("limited") auth to full agreement-creation scope
• Creating agreements and verifying commit status mechanics for a user repo
• Creating agreements and verifying commit status mechanics for an org repo

Reference:

jasonmtest/clahub-test#1
clahub/clahub-org-test#11

I'll merge this & deploy to prod shortly.

[jasonm]

Nice - any existing user may update their scopes by visiting https://www.clahub.com/auth/github (linked from the big blue front page "Sign in..." button) which brings up a screen like the following, indicating the reduction in scopes:

Going forwards, new users will only be asked for these limited scopes.

There is still the separation of signature-only limited scope -- (no scope) scope -- which exists to provide identity for signatures, so I think this is the minimal possible scoping for now.

Thanks for the PR @jugglinmike!

[ferventcoder]

\o/

[jugglinmike]

Wow, GitHub has a really slick UI for managing OAuth rights.

This is working perfectly for my project. Thanks a ton, @jasonm!