Add new Authentication Source: GitHub, including GitHub Enterprise

[luhaixun]

This is a reopen of pull request #5306 as closed by mistake. The PR will support GitHub Authentication both for github.com and any customized GitHub Enterprise.

The related issues are:
#2927
#3033

[cupen]

Looks good to me.

[cupen]

I register local gogs account with my email which same as my github account used, then I meet a problem with github login.
Error log:

2018/07/25 16:38:02 [ERROR] [...g/context/context.go:175 ServerError()] UserLogin: e-mail has been used [email: me@xxmail.com]

[cupen]

How about use oauth2.0 ? You know, put user's password in the memory of your computer wasn't very safety. And using oauth2.0 means that other third-party services can be integrated easily and quickly, not just github.

[luhaixun]

@cupen for the first email issue, that's because Gogs has already has that email linked to another account, you should change to another one and try again.

As of safety concerns, although the credential token will be encrypted before storing it in the database, I feel they share the same security risk.

OAuth2.0 is a good idea, but it is not friendly if the same user uses different browser or clean the browser cache before login, he has to authorize it every time.

[cupen]

@luhaixun Thanks for your feedback. It looks like we have two different viewpoint.

1. security issue
   I'm not just meaning "password store". We know, if not https, the username/password is transmitted in clear text, from user's machine to your(or him or mine) gogs machine. It's a long-range could be attacked if the username/password is the third-part services account of yours. e.g.: github, google? double-kill, triple-kill. So it's not a little problem, though it's not your code's mistake. Maybe we can refactor a little code of gogs account system for adapte oauth2.0 ?

2. oauth2.0 is not friendly ?
   Yes or no. But I tend to think the vast majority of usercases is: one browser <--> one service.
   e.g. I use gmail in chrome, weixin chat in firefox, not use gmail or weixin chat both in chrome and firefox.

[luhaixun]

@cupen For [1] security concern, I agree with you that it's a good chance for Gogs think more about this. 💯

As of [2], yes we have a different view indeed because my Chrome profile is set to clear all cache every time after I close the browser, which is hard set by our Dev IT. :(

[ibearth2025]

Yes it seems good

[ibearth2025]

But obviously oAuth is needed , @unknwon can you please re-implement oAuth ?

[unknwon]

I'm merging this into a feature branch because of some required fixes/changes. Thanks for the PR!

[unknwon]

security issue
I'm not just meaning "password store". We know, if not https, the username/password is transmitted in clear text, from user's machine to your(or him or mine) gogs machine. It's a long-range could be attacked if the username/password is the third-part services account of yours. e.g.: github, google? double-kill, triple-kill. So it's not a little problem, though it's not your code's mistake. Maybe we can refactor a little code of gogs account system for adapte oauth2.0 ?

Just tested and proved that use personal access token as password with user profile permission actually works. So no password transmission at all.

[unknwon]

Merged into develop branch.

[ghost]

Getting this error

Unknown error: RangeError

[unknwon]

@CodingPurple thanks your feedback! But your feedback is as vague as said nothing. Can you provide detailed steps?

[ghost]

Hello @unknwon! I'm getting this error while creating new auth

admin > auths > new

[unknwon]

@codeskyblue Hi, I cannot reproduce this error. I suspect you are using a modified version of Gogs and changed validation rule to make a "Range" binding rule to be required.

[luhaixun]

@codeskyblue could you help run below query in your gogs database for a quick check?

select id,type from login_source;