GitHub authorizations should be limited to the strict minimum

[mvila]

Currently, when I try to sign in, GitHub asks me to grant the following authorizations:

Personal user data
Full access
This application will be able to read and write all user data. This includes the following:

Private email addresses
Private profile information
Followers

I think it would be better to limit the authorizations to the strict minimum (e.g., read-only private email).

[hswolff]

Oooh! Nice find!

This seems to be the default behavior of next-auth to ask for the user scope when logging you in.

Seems like it'd be very possible to override and set just the scopes I'd need, as per GitHub's scope documentation. Seems like all we'd need is read:user, no?

[mvila]

Hmm. The documentation is quite vague. I don't know exactly what we get with the read:user scope. Is it public data only?

Perhaps the best thing is to try with this scope and see what you have access to.

I've seen several OAuth examples using the user:email scope because most apps want to use the email as the user's primary identifier. But this may not be what you want for your application.

[mvila]

I just saw that it is possible to specify no scope. It is documented as follows:

(no scope): Grants read-only access to public information (includes public user profile info, public repository info, and gists)

This may be just what you need.

[hswolff]

Yeah I dig that. PRs welcome!