Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use GitHub Apps instead of OAuth for the GitHub Backend #7108

Open
caendesilva opened this issue Feb 16, 2024 · 0 comments
Open

Use GitHub Apps instead of OAuth for the GitHub Backend #7108

caendesilva opened this issue Feb 16, 2024 · 0 comments
Labels
area: extensions/backends/github type: feature code contributing to the implementation of a feature and/or user facing functionality

Comments

@caendesilva
Copy link

Is your feature request related to a problem? Please describe.

The current use of OAuth Apps in Decap poses a significant security risk by requiring access to all private repositories. This is a concern for many users, and a dealbreaker for some.

Describe the solution you'd like
I suggest transitioning Decap to use the newer GitHub Apps instead of OAuth Apps. GitHub Apps offer more granular repository access, providing much better security by allowing users to specify access permissions on a per-repository basis. This would fix #4329.

Describe alternatives you've considered
Machine users have been proposed as an alternative, but that has many drawbacks.

Additional context
Transitioning to GitHub Apps aligns with best practices for security and would address the specific concerns outlined in issue #4329. Users would benefit from improved control over repository access, contributing to a more secure and reliable experience.

See https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps

@caendesilva caendesilva added the type: feature code contributing to the implementation of a feature and/or user facing functionality label Feb 16, 2024
caendesilva added a commit to hyde-staging/experimental-decap-integration that referenced this issue Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: extensions/backends/github type: feature code contributing to the implementation of a feature and/or user facing functionality
Projects
None yet
Development

No branches or pull requests

2 participants