GitHub app API query parameter deprecation

[fletchto99]

GitHub is going to be deprecating sending the client ID and client secret as query parameters. Gitalk will need to be updated to use basic authentication. For more information see: https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters

This has been fixed in #346 and pushed out in v1.52

[klboke]

都收到通知邮件了

[AriaLyy]

+1，今天被这个邮件轰炸了

[AriaLyy]

有老哥知道该怎么解决吗？

[wangriyu]

+1

[40huo]

+1

[Mabbs]

+1

[ldzhangyx]

我也收到了，蹲一个解决

[sparkydogX]

+1

[L1H0n9Jun]

+1 Mark

[lonelyion]

mark, same problem

[jiangzhonglian]

+1 Mark

[wizardforcel]

plz modify HTTP requests to put client_id in the Authentication header.

[deamwork]

It uses window.location.href for Github authorization redirect, so it may need to refactor on how to redirect. ref
The request is pure query parameters located at line 160~169

Right now, the browser can't produce a GET request with a modified header. Only POST can do. So I have no idea how to fix this without 3rd party support(e.g., forward by the backend, etc.)

[YunYouJun]

Is there any temporary solution?

[geektutu]

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

Gitalk should use basic auth to replace client_id/client_secret query parameter.

I open a pull request diff to resolve the issue, about ten lines are modified. And I regenerate gitalk.min.js. All regenerated files are here

Follow next steps

• Use the new gitalk.min.js to replace the old one

If you need higher limit rate

• [Optional] Goto accessToken to generate a public read-only token (Don't select any scope)

• [Optional] Config your token in your template

const gitalk = new Gitalk({
  clientID: 'GitHub Application Client ID',
  clientSecret: 'GitHub Application Client Secret',
  accessToken: 'Github Personal Access Token',   // IMPORTANT !!!
  repo: 'GitHub repo',
  owner: 'GitHub repo owner',
  ...
})

[Mabbs]

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

Gitalk should use basic auth to replace client_id/client_secret query parameter.

I open a pull request diff to resolve the issue, about ten lines are modified. And I regenerate gitalk.min.js. All regenerated files are here

Follow next steps

• Goto accessToken to generate a public read-only token
• Use the new gitalk.min.js to replace the old one
• Config your token in your template

const gitalk = new Gitalk({
  clientID: 'GitHub Application Client ID',
  clientSecret: 'GitHub Application Client Secret',
  accessToken: 'Github Personal Access Token',   // here !!!
  repo: 'GitHub repo',
  owner: 'GitHub repo owner',
  admin: ['GitHub repo owner and collaborators, only these guys can initialize github issues'],
  id: location.pathname,      // Ensure uniqueness and length less than 50
  distractionFreeMode: false  // Facebook-like distraction free mode
})

How to generate a public read-only token?I just find Access public repositories permission.It's dangerous.

[geektutu]

@Mabbs

About accessToken security

According to Understanding scopes for OAuth Apps, if you don't select any scope when generating your access token, the token just grants read-only access to public information.

Here is my blog, it works well.

If you find it dangerous, please tell me to revoke it, thank you.

[draveness]

@Mabbs

About accessToken security

According to Understanding scopes for OAuth Apps, if you don't select any scope when generating your access token, the token just grants read-only access to public information.

Here is my blog, it works well.

If you find it dangerous, please tell me to revoke it, thank you.

So is it possible to create a new github account to generate the public access token?

[geektutu]

@draveness You're right, gitalk uses access token( client secret before) to get higher api rate limit, so any account's access token is ok.

with access token, 5000 requests per hour

curl -H "Authorization: token YOUR TOKEN" https://api.github.com/rate_limit
{
  "resources": {
    "core": {
      "limit": 5000,
      "remaining": 4961,
      "reset": 1580799676
    },
...

without access token, 60 requests per hour.

curl https://api.github.com/rate_limit 
{
  "resources": {
    "core": {
      "limit": 60,
      "remaining": 60,
      "reset": 1580801932

See Rate limiting

One more thing

• For login user, use their own access token that's granted by themselves when login.
• For anonymous user, use access token configured by you.

    const { owner, repo, id, labels, accessToken } = this.options
    return axiosGithub.get(`/repos/${owner}/${repo}/issues`, {
      headers: {
        Authorization: `token ${this.accessToken || accessToken}`
      },
    ...

[draveness]

@draveness You're right, gitalk uses access token( client secret before) to get higher api rate limit, so any account's access token is ok.

with access token, 5000 requests per hour

curl -H "Authorization: token YOUR TOKEN" https://api.github.com/rate_limit
{
  "resources": {
    "core": {
      "limit": 5000,
      "remaining": 4961,
      "reset": 1580799676
    },
...

without access token, 60 requests per hour.

curl https://api.github.com/rate_limit 
{
  "resources": {
    "core": {
      "limit": 60,
      "remaining": 60,
      "reset": 1580801932

See Rate limiting

One more thing

• For login user, use their own access token that's granted by themselves when login.
• For anonymous user, use access token configured by you.

    const { owner, repo, id, labels, accessToken } = this.options
    return axiosGithub.get(`/repos/${owner}/${repo}/issues`, {
      headers: {
        Authorization: `token ${this.accessToken || accessToken}`
      },
    ...

Thanks for the detailed explanation.

[fletchto99]

@geektutu It would probably be better to just use anonymous requests here. Since the API request would be associated with the user's IP instead of your account (for example if they grabbed your PAT and began to abuse it). Since the limit is only used to retrieve comments 60 should be plenty. I'd also be worried about someone generating a PAT with too large of a scope such that a malicious actor could abuse it. Furthermore users who are logged in won't have any rate limit issues.

[geektutu]

@fletchto99 Your worry is right. However, many people share the same public IP, eg, through the same gateway of the company, or in some areas where IP is lacking. Each page will cost 2 or more requests. 60 per hour will be used up soon. Probably it'll bring bad experience. I have no idea but to add danger notice to guide people to select nothing when generating PAT.

[chenbin-353549444]

+1 Mark

[peanut996]

+1

[besscroft]

+1

[honeyshine75]

+1 Mark

[q191201771]

mark

[yeung66]

关注，我也出现了这个问题

[removeif]

蹲一个万全之策.

[Mabbs]

蹲一个万全之策.

以我博客的访问量，就geektutu的解决方案感觉已经很完美了

[hooray]

傻逼github，明明說「we'll be sending you this email reminder at most once every 3 days」，結果一天給我發了幾封！

笑喷，我github绑了3个邮箱，而且邮箱邮件全部设置转发到指定邮箱。一天差不多就是9封。

我就一个账号，但今天就收到了近20封

[RimoChan]

傻逼github，明明說「we'll be sending you this email reminder at most once every 3 days」，結果一天給我發了幾封！

at most 啦 😂

at most 修飾的是分子 once 不是分母 3 days ，頻率應該變小而不是變大啊。

[meibin08]

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

Gitalk should use basic auth to replace client_id/client_secret query parameter.

I open a pull request diff to resolve the issue, about ten lines are modified. And I regenerate gitalk.min.js. All regenerated files are here

Follow next steps

• Use the new gitalk.min.js to replace the old one

If you need higher limit rate

• [Optional] Goto accessToken to generate a public read-only token (Don't select any scope)
• [Optional] Config your token in your template

const gitalk = new Gitalk({
  clientID: 'GitHub Application Client ID',
  clientSecret: 'GitHub Application Client Secret',
  accessToken: 'Github Personal Access Token',   // IMPORTANT !!!
  repo: 'GitHub repo',
  owner: 'GitHub repo owner',
  ...
})

我的也收到了，按你的方法，去生成了一个token，不知道还会不会发邮件！

[Aqua-Dream]

插眼

[MHuiG]

关注

[booxood]

不好意思给大家带来了烦恼。

已经合并了 PR #344，发布了 v1.5.1，麻烦大家升级一下版本，并增加配置 accessToken。

感谢 @geektutu 👏👏👏

---

Sorry for the trouble.

Has been merged PR #344 and released v1.5.1. Please update the version and add option 'accessToken'.

Thanks to @geektutu 👏 👏 👏.

[fletchto99]

I've opened #346 to address the concerns I had expressed in #343 (comment) - I've confirmed with GitHub that sending the client_id and client_secret as basic auth is a supported flow so I believe this would be the best route forward.

[qcmoke]

我也遇到了同样的问题，怎么个具体解决呢？

[booxood]

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。

具体详情可以看 #346。

[qcmoke]

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。

具体详情可以看 #346。

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的，但是还是每天会收到github的邮件提醒！请问怎么回事呢？

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图：

[MHuiG]

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。
具体详情可以看 #346。

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的，但是还是每天会收到github的邮件提醒！请问怎么回事呢？

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图：

这可能是因为浏览器缓存或者CDN缓存未刷新的问题，问题缓存可能不在你这里，你的用户没有刷新缓存。

可以尝试将gitalk js和css 保存到本地后引用。

或者指定版本号

<link rel="stylesheet" href="https://unpkg.com/gitalk@1.6.0/dist/gitalk.css">
<script src="https://unpkg.com/gitalk@1.6.0/dist/gitalk.min.js"></script>

[minbaby]

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。
具体详情可以看 #346。

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的，但是还是每天会收到github的邮件提醒！请问怎么回事呢？

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图：

看你图中，引用了两次 gitalk 资源文件，猜测一个是新的，一个是旧的，旧的只要初始化就会发告警邮件。

[qcmoke]

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。
具体详情可以看 #346。

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的，但是还是每天会收到github的邮件提醒！请问怎么回事呢？

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图：

看你图中，引用了两次 gitalk 资源文件，猜测一个是新的，一个是旧的，旧的只要初始化就会发告警邮件。

已经解决了，谢谢，是缓存的原因

[qcmoke]

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。
具体详情可以看 #346。

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的，但是还是每天会收到github的邮件提醒！请问怎么回事呢？

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图：

看你图中，引用了两次 gitalk 资源文件，猜测一个是新的，一个是旧的，旧的只要初始化就会发告警邮件。

已经解决了，谢谢，是缓存的原因

@qcmoke 更新最新版本，不用修改配置，确保版本 >=v1.5.2。
具体详情可以看 #346。

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的，但是还是每天会收到github的邮件提醒！请问怎么回事呢？

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图：

这可能是因为浏览器缓存或者CDN缓存未刷新的问题，问题缓存可能不在你这里，你的用户没有刷新缓存。

可以尝试将gitalk js和css 保存到本地后引用。

或者指定版本号

<link rel="stylesheet" href="https://unpkg.com/gitalk@1.6.0/dist/gitalk.css">
<script src="https://unpkg.com/gitalk@1.6.0/dist/gitalk.min.js"></script>

已经解决了，谢谢，确实是缓存的原因