Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add GitLab support #219
This PR primarily adds support for GitLab across Staticman's API
This includes the following notable changes:
Staticman API config
Staticman site config (
@ntsim Dispite my big thanks to your clear instrustions, my API server is still giving a 401 error. (All
Missing RSA key
In terms of the encryption key issue, I don't know what else it could be. I've tripled checked the steps and it's worked for me each time. I would suggest that you absolutely ensure that the key has been pasted in correctly, perhaps use a text editor to manually replace the line breaks in the private key with the
For the fields issue, you should use a
@ntsim Thank you again for your advices. I've switched to Sublime and Postman so as to copy accurately. After recreating another
What would be the source of
@ntsim Thanks again for this great PR ! I'm sharing my views on some problems you've raised in previous posts: the storage of OAuth tokens in local browsers and cross-platform authentication.
After this success, I tested the setup steps 1--5 again with
Since comments from users of whatever Git service provider are welcomed, this brings up the problem of authentication with different Git service providers that you outlined.
Remembering OpenID, I've found this answer about OpenID vs OAuth on Stack Overflow. During the testing, I confused the terms "authentication" and "authorization".
However, in the current OAuth + Web App flows, the
IMHO, to achieve authentic authentication, the OpenID flow does a better job.
@VincentTam have you set up your
auth: required: false
I've had no issue just swapping it to false in my test repo then just POSTing to the
In terms of the actual authentication mechanism:
I'm a little confused about how OpenID would solve anything here. Implementing the original OpenID 2.0 spec would essentially require setting up another server. There's also the issue that it is marked as obsolete in favour of OpenID Connect.
OpenID Connect itself is just a layer on top of OAuth, which provides authentication as well authorization. In fact, GitLab is actually an OpenID Connect identity provider. In the context of Staticman, I believe this would only have the slight benefit of giving us the option to retrieve the user's profile information in the OpenID Connect way.
We would still need OAuth to allow us to do just about anything on GitLab/GitHub. That said, you are correct that currently the authenticated commenter's OAuth access token does not actually expire. This could potentially pose a security issue if we're not careful with how we handle it.
Fortunately, I think we are 'relatively' covered on this as we are using RSA encryption on the access token. The intention of this is to prevent its misuse outside of the Staticman API. Consequently, some malicious user shouldn't be able to just get their hands on the token and start using it to impersonate the user.
That said, as I've mentioned before, we should probably try to offer recommendations to help users store any authentication information correctly on the client side.
Additionally, whilst RSA is currently secure (AFAIK), it does have some concerns over its long-term viability. I believe Libsodium's encryption primitives are usually preferred by security/crypto experts. Perhaps, something worth thinking about @eduardoboucas?
Thinking back, I should have confused my fork of your test project with my own one.
Big thanks for testing this and explaining the role OpenID.
Currently, only GitLab users can post authenticated comments to GitLab project. The proposed solution is great, but some work is needed to add support for each OAuth provider.
If OpenID is implemented here, provided that a GitHub/Google user has authenticated him/herself through OpenID, it's possible that he/she can post authenticated comments without a GitLab account?
I thought about this while being unaware of the need of setting up another server---that would be too heavy to deal with.
referenced this pull request
Sep 12, 2018
As this PR is a bit incomplete without the ability to select the authentication identity provider independently of the site repository provider, I've gone and added the finishing touches (with respect to this discussion) in a new PR #231. Another one for you @eduardoboucas
Once that PR is in, it will be possible for a commenter to authenticate with either GitLab or GitHub (provided that the associated OAuth applications are setup correctly). It should be possible to expand this functionality in the future to encapsulate other providers such as Google, Auth0, etc.
I don't think OpenID and its abstractions are really required at any point. Currently Staticman will try to generalise any profile data from GitHub/GitLab into it's own 'User' model. To me, this seems sufficient, but this could be something we could think about further if required.
Once cloned, it remains to configure the two config files. With KaTeX and Markdown support, that's much better than existing solutions (e.g. Disqus) for communicating math.
In fact, I find reCaptcha enough to distinguish my prof's and classmates
added a commit
this pull request
Sep 14, 2018
Thanks to @ntsim 's continual help, I've created one running on a free dyno on Heroku at