Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Auth token and avatarUrl security improvements #1514
Changes proposed in this pull request:
The ability to set an avatarUrl as an API attribute is removed completely, fixing #1357.
This PR also removes AbstractOAuth2Controller. There is no reason to provide an implementation for a specific oAuth2 library in core; it's not generic enough (eg. auth-twitter can't use it).
Scanned over the PR real quick, it seems to me that passing over the full payload will be sufficient for any use case.
Not sure if the column size is sufficient for all use cases, especially if multiple scopes have been enabled providing json about campaigns, pledges and what not.. I think that was also the reason I had not pushed the full payload along; this could be circumvented in the implementation of a Patreon controller easily by removing unnecessary payload.
I am not sure i understand but if you suggest that any property in the payload will be assigned to the user than you will have an issue. Eg we would need to know what tier the user is on at patreon.com; we allow passing that over so that after creation we can assign the role. The tier or tier_id column does not exist, so the database will complain that a user is being saved with attributes that it does not have columns for.
So we need a way to send additional payload from the response of the oauth2 server to after user creation/updating without setting them on the user.