Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub app API query parameter deprecation #343

Closed
fletchto99 opened this issue Feb 3, 2020 · 57 comments · Fixed by #346 or theme-next/hexo-theme-next#1369
Closed

GitHub app API query parameter deprecation #343

fletchto99 opened this issue Feb 3, 2020 · 57 comments · Fixed by #346 or theme-next/hexo-theme-next#1369

Comments

@fletchto99
Copy link
Contributor

@fletchto99 fletchto99 commented Feb 3, 2020

GitHub is going to be deprecating sending the client ID and client secret as query parameters. Gitalk will need to be updated to use basic authentication. For more information see: https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters

This has been fixed in #346 and pushed out in v1.52

@fletchto99 fletchto99 changed the title Query parameter deprecation GitHub app API query parameter deprecation Feb 3, 2020
@klboke
Copy link

@klboke klboke commented Feb 4, 2020

都收到通知邮件了

@AriaLyy
Copy link

@AriaLyy AriaLyy commented Feb 4, 2020

+1,今天被这个邮件轰炸了

@AriaLyy
Copy link

@AriaLyy AriaLyy commented Feb 4, 2020

有老哥知道该怎么解决吗?

@wangriyu
Copy link

@wangriyu wangriyu commented Feb 4, 2020

+1

2 similar comments
@40huo
Copy link

@40huo 40huo commented Feb 4, 2020

+1

@Mabbs
Copy link

@Mabbs Mabbs commented Feb 4, 2020

+1

@ldzhangyx
Copy link

@ldzhangyx ldzhangyx commented Feb 4, 2020

我也收到了,蹲一个解决

@sparkydogX
Copy link

@sparkydogX sparkydogX commented Feb 4, 2020

+1

@L1H0n9Jun
Copy link

@L1H0n9Jun L1H0n9Jun commented Feb 4, 2020

+1 Mark

@lonelyion
Copy link

@lonelyion lonelyion commented Feb 4, 2020

mark, same problem

@jiangzhonglian
Copy link

@jiangzhonglian jiangzhonglian commented Feb 4, 2020

+1 Mark

@wizardforcel
Copy link

@wizardforcel wizardforcel commented Feb 4, 2020

plz modify HTTP requests to put client_id in the Authentication header.

@deamwork
Copy link

@deamwork deamwork commented Feb 4, 2020

It uses window.location.href for Github authorization redirect, so it may need to refactor on how to redirect. ref
The request is pure query parameters located at line 160~169

Right now, the browser can't produce a GET request with a modified header. Only POST can do. So I have no idea how to fix this without 3rd party support(e.g., forward by the backend, etc.)

@YunYouJun
Copy link

@YunYouJun YunYouJun commented Feb 4, 2020

Is there any temporary solution?

@geektutu
Copy link
Contributor

@geektutu geektutu commented Feb 4, 2020

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

Gitalk should use basic auth to replace client_id/client_secret query parameter.

I open a pull request diff to resolve the issue, about ten lines are modified. And I regenerate gitalk.min.js. All regenerated files are here

Follow next steps

If you need higher limit rate

  • [Optional] Goto accessToken to generate a public read-only token (Don't select any scope)

  • [Optional] Config your token in your template

const gitalk = new Gitalk({
  clientID: 'GitHub Application Client ID',
  clientSecret: 'GitHub Application Client Secret',
  accessToken: 'Github Personal Access Token',   // IMPORTANT !!!
  repo: 'GitHub repo',
  owner: 'GitHub repo owner',
  ...
})

@Mabbs
Copy link

@Mabbs Mabbs commented Feb 4, 2020

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

Gitalk should use basic auth to replace client_id/client_secret query parameter.

I open a pull request diff to resolve the issue, about ten lines are modified. And I regenerate gitalk.min.js. All regenerated files are here

Follow next steps

  • Goto accessToken to generate a public read-only token
  • Use the new gitalk.min.js to replace the old one
  • Config your token in your template
const gitalk = new Gitalk({
  clientID: 'GitHub Application Client ID',
  clientSecret: 'GitHub Application Client Secret',
  accessToken: 'Github Personal Access Token',   // here !!!
  repo: 'GitHub repo',
  owner: 'GitHub repo owner',
  admin: ['GitHub repo owner and collaborators, only these guys can initialize github issues'],
  id: location.pathname,      // Ensure uniqueness and length less than 50
  distractionFreeMode: false  // Facebook-like distraction free mode
})

How to generate a public read-only token?I just find Access public repositories permission.It's dangerous.

@geektutu
Copy link
Contributor

@geektutu geektutu commented Feb 4, 2020

@Mabbs

About accessToken security

According to Understanding scopes for OAuth Apps, if you don't select any scope when generating your access token, the token just grants read-only access to public information.

Here is my blog, it works well.

If you find it dangerous, please tell me to revoke it, thank you.

@draveness
Copy link

@draveness draveness commented Feb 4, 2020

@Mabbs

About accessToken security

According to Understanding scopes for OAuth Apps, if you don't select any scope when generating your access token, the token just grants read-only access to public information.

Here is my blog, it works well.

If you find it dangerous, please tell me to revoke it, thank you.

So is it possible to create a new github account to generate the public access token?

@geektutu
Copy link
Contributor

@geektutu geektutu commented Feb 4, 2020

@draveness You're right, gitalk uses access token( client secret before) to get higher api rate limit, so any account's access token is ok.

with access token, 5000 requests per hour

curl -H "Authorization: token YOUR TOKEN" https://api.github.com/rate_limit
{
  "resources": {
    "core": {
      "limit": 5000,
      "remaining": 4961,
      "reset": 1580799676
    },
...

without access token, 60 requests per hour.

curl https://api.github.com/rate_limit 
{
  "resources": {
    "core": {
      "limit": 60,
      "remaining": 60,
      "reset": 1580801932

See Rate limiting

One more thing

  • For login user, use their own access token that's granted by themselves when login.
  • For anonymous user, use access token configured by you.
    const { owner, repo, id, labels, accessToken } = this.options
    return axiosGithub.get(`/repos/${owner}/${repo}/issues`, {
      headers: {
        Authorization: `token ${this.accessToken || accessToken}`
      },
    ...

@draveness
Copy link

@draveness draveness commented Feb 4, 2020

@draveness You're right, gitalk uses access token( client secret before) to get higher api rate limit, so any account's access token is ok.

with access token, 5000 requests per hour

curl -H "Authorization: token YOUR TOKEN" https://api.github.com/rate_limit
{
  "resources": {
    "core": {
      "limit": 5000,
      "remaining": 4961,
      "reset": 1580799676
    },
...

without access token, 60 requests per hour.

curl https://api.github.com/rate_limit 
{
  "resources": {
    "core": {
      "limit": 60,
      "remaining": 60,
      "reset": 1580801932

See Rate limiting

One more thing

  • For login user, use their own access token that's granted by themselves when login.
  • For anonymous user, use access token configured by you.
    const { owner, repo, id, labels, accessToken } = this.options
    return axiosGithub.get(`/repos/${owner}/${repo}/issues`, {
      headers: {
        Authorization: `token ${this.accessToken || accessToken}`
      },
    ...

Thanks for the detailed explanation.

@fletchto99
Copy link
Contributor Author

@fletchto99 fletchto99 commented Feb 4, 2020

@geektutu It would probably be better to just use anonymous requests here. Since the API request would be associated with the user's IP instead of your account (for example if they grabbed your PAT and began to abuse it). Since the limit is only used to retrieve comments 60 should be plenty. I'd also be worried about someone generating a PAT with too large of a scope such that a malicious actor could abuse it. Furthermore users who are logged in won't have any rate limit issues.

@geektutu
Copy link
Contributor

@geektutu geektutu commented Feb 4, 2020

@fletchto99 Your worry is right. However, many people share the same public IP, eg, through the same gateway of the company, or in some areas where IP is lacking. Each page will cost 2 or more requests. 60 per hour will be used up soon. Probably it'll bring bad experience. I have no idea but to add danger notice to guide people to select nothing when generating PAT.

@chenbin-353549444
Copy link

@chenbin-353549444 chenbin-353549444 commented Feb 4, 2020

+1 Mark

@peanut996
Copy link

@peanut996 peanut996 commented Feb 4, 2020

+1

1 similar comment
@besscroft
Copy link

@besscroft besscroft commented Feb 4, 2020

+1

@honeyshine75
Copy link

@honeyshine75 honeyshine75 commented Feb 4, 2020

+1 Mark

@q191201771
Copy link

@q191201771 q191201771 commented Feb 4, 2020

mark

@yeung66
Copy link

@yeung66 yeung66 commented Feb 5, 2020

关注,我也出现了这个问题

@removeif
Copy link

@removeif removeif commented Feb 5, 2020

蹲一个万全之策.

@Mabbs
Copy link

@Mabbs Mabbs commented Feb 5, 2020

蹲一个万全之策.

以我博客的访问量,就geektutu的解决方案感觉已经很完美了

@hooray
Copy link

@hooray hooray commented Feb 5, 2020

傻逼github,明明說「we'll be sending you this email reminder at most once every 3 days」,結果一天給我發了幾封!

笑喷,我github绑了3个邮箱,而且邮箱邮件全部设置转发到指定邮箱。一天差不多就是9封。

我就一个账号,但今天就收到了近20封

@RimoChan
Copy link

@RimoChan RimoChan commented Feb 5, 2020

傻逼github,明明說「we'll be sending you this email reminder at most once every 3 days」,結果一天給我發了幾封!

at most 啦 😂

at most 修飾的是分子 once 不是分母 3 days ,頻率應該變小而不是變大啊。

@meibin08
Copy link

@meibin08 meibin08 commented Feb 6, 2020

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using HTTP basic authentication.

Gitalk should use basic auth to replace client_id/client_secret query parameter.

I open a pull request diff to resolve the issue, about ten lines are modified. And I regenerate gitalk.min.js. All regenerated files are here

Follow next steps

If you need higher limit rate

  • [Optional] Goto accessToken to generate a public read-only token (Don't select any scope)
  • [Optional] Config your token in your template
const gitalk = new Gitalk({
  clientID: 'GitHub Application Client ID',
  clientSecret: 'GitHub Application Client Secret',
  accessToken: 'Github Personal Access Token',   // IMPORTANT !!!
  repo: 'GitHub repo',
  owner: 'GitHub repo owner',
  ...
})

我的也收到了,按你的方法,去生成了一个token,不知道还会不会发邮件!

@Aqua-Dream
Copy link

@Aqua-Dream Aqua-Dream commented Feb 6, 2020

插眼

@MHuiG
Copy link
Contributor

@MHuiG MHuiG commented Feb 6, 2020

关注

@booxood
Copy link
Collaborator

@booxood booxood commented Feb 6, 2020

不好意思给大家带来了烦恼。

已经合并了 PR #344,发布了 v1.5.1,麻烦大家升级一下版本,并增加配置 accessToken

感谢 @geektutu 👏👏👏


Sorry for the trouble.

Has been merged PR #344 and released v1.5.1. Please update the version and add option 'accessToken'.

Thanks to @geektutu 👏 👏 👏.

@fletchto99
Copy link
Contributor Author

@fletchto99 fletchto99 commented Feb 6, 2020

I've opened #346 to address the concerns I had expressed in #343 (comment) - I've confirmed with GitHub that sending the client_id and client_secret as basic auth is a supported flow so I believe this would be the best route forward.

@qcmoke
Copy link

@qcmoke qcmoke commented Feb 6, 2020

我也遇到了同样的问题,怎么个具体解决呢?

@booxood
Copy link
Collaborator

@booxood booxood commented Feb 7, 2020

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2

具体详情可以看 #346

@booxood booxood pinned this issue Feb 7, 2020
miaotony added a commit to miaotony/hexo-theme-matery that referenced this issue Feb 7, 2020
Update dependency Gitalk to V1.5.2.
Fix `GitHub app API query parameter deprecation`.

Email bombs from GitHub said that **"Please use Basic Authentication instead as using OAuth credentials in query parameters has been deprecated."**

Gitalk V1.5.2 fixed the problem without any changes to other files.

For more infomation, visit
gitalk/gitalk#343 , or gitalk/gitalk#343 .
tao12345666333 added a commit to tao12345666333/tao12345666333.github.io that referenced this issue Feb 7, 2020
iamwwc added a commit to iamwwcposts/maupassant-hexo that referenced this issue Feb 8, 2020
@qcmoke
Copy link

@qcmoke qcmoke commented Feb 16, 2020

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2

具体详情可以看 #346

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的,但是还是每天会收到github的邮件提醒!请问怎么回事呢?

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图:
image

@MHuiG
Copy link
Contributor

@MHuiG MHuiG commented Feb 16, 2020

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2
具体详情可以看 #346

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的,但是还是每天会收到github的邮件提醒!请问怎么回事呢?

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图:
image

这可能是因为浏览器缓存或者CDN缓存未刷新的问题,问题缓存可能不在你这里,你的用户没有刷新缓存。

可以尝试将gitalk js和css 保存到本地后引用。

或者指定版本号

<link rel="stylesheet" href="https://unpkg.com/gitalk@1.6.0/dist/gitalk.css">
<script src="https://unpkg.com/gitalk@1.6.0/dist/gitalk.min.js"></script>

@minbaby
Copy link

@minbaby minbaby commented Feb 17, 2020

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2
具体详情可以看 #346

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的,但是还是每天会收到github的邮件提醒!请问怎么回事呢?

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图:
image

看你图中,引用了两次 gitalk 资源文件,猜测一个是新的,一个是旧的,旧的只要初始化就会发告警邮件。

@qcmoke
Copy link

@qcmoke qcmoke commented Feb 18, 2020

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2
具体详情可以看 #346

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的,但是还是每天会收到github的邮件提醒!请问怎么回事呢?

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图:
image

看你图中,引用了两次 gitalk 资源文件,猜测一个是新的,一个是旧的,旧的只要初始化就会发告警邮件。

已经解决了,谢谢,是缓存的原因

@qcmoke
Copy link

@qcmoke qcmoke commented Feb 18, 2020

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2
具体详情可以看 #346

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的,但是还是每天会收到github的邮件提醒!请问怎么回事呢?

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图:
image

看你图中,引用了两次 gitalk 资源文件,猜测一个是新的,一个是旧的,旧的只要初始化就会发告警邮件。

已经解决了,谢谢,是缓存的原因

@qcmoke 更新最新版本,不用修改配置,确保版本 >=v1.5.2
具体详情可以看 #346

我使用的是如下方式引入的,通过浏览器调试发现确实是版本 >=v1.5.2**了的,但是还是每天会收到github的邮件提醒!请问怎么回事呢?

<link rel="stylesheet" href="https://unpkg.com/gitalk/dist/gitalk.css">
<script src="https://unpkg.com/gitalk/dist/gitalk.min.js"></script>

调式版本如下图:
image

这可能是因为浏览器缓存或者CDN缓存未刷新的问题,问题缓存可能不在你这里,你的用户没有刷新缓存。

可以尝试将gitalk js和css 保存到本地后引用。

或者指定版本号

<link rel="stylesheet" href="https://unpkg.com/gitalk@1.6.0/dist/gitalk.css">
<script src="https://unpkg.com/gitalk@1.6.0/dist/gitalk.min.js"></script>

已经解决了,谢谢,确实是缓存的原因

@booxood booxood unpinned this issue Jan 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet