Use the Authorization HTTP header instead of access_token query parameter

[timqian]

Today I got an email containing the following.

Hi @timqian,

On February 3rd, 2020 at 22:22 (UTC) your application (repo-analytics) used an access token (with the User-Agent passport-github) as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/user/emails

Please use the Authorization HTTP header instead as using the access_token query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

Thanks,
The GitHub Team

[Martii]

Got something similar to this yesterday... it's very unclear what GH is doing with this. As the Active Maintainer of our project the documentation I've read at:

• https://developer.github.com/v3/auth/#via-oauth-and-personal-access-tokens
• https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters
• https://developer.github.com/v3/oauth_authorizations/
• https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow

and so on. We have an issue I opened yesterday because at one point we utilize client_id and client_secret in an import routine as well.

Our message was:

Please use Basic Authentication instead as using OAuth credentials in query parameters has been deprecated.

This may not be related to this package however it's important that we rule this out for sure. 👀

[timqian]

According to the email, this issue is caused by passport-github, but I don't find the place where access_token is used as a query parameter.

your application (repo-analytics) used an access token (with the User-Agent passport-github) as part of a query parameter to access an endpoint

It might be not related but in another GitHub APP of mine, I met a similar issue and solved it by removing access_token in params and adding it to the header

• Issue: Deprecation email about authentication using tokens star-history/star-history#68
• Commit: star-history/star-history@46dff95

[thenengah]

Also getting this.

[Martii]

@timqian

passport-github for a UA is a little unusual and not found in this dep, it's dependencies, and your referenced top-level project... from a quick GH search so not sure where that is coming from. Our mentioned UA is NodeJS HTTP Client which seems to be consistent with our request.

In our case I'm not sure we actually have saved the normal OAuth token anywhere (just the client_id and client_secret) so using params is noted (Thanks)... although those are usually in forms from my experience. The remaining read authenticating method that seems to be mentioned is using the token in a header. Have you tried that instead? (Misread your commit... that's what you did) This is the route I'm going to eventually try if I can get to the basic OAuth token (i.e. not the personal access token but will try that too) I think.

Appreciate the response... maybe I'll absorb what is changing when I have some more dedicated time. In general it seems like the QSP's for the API are going away completely.

[thenengah]

@timqian

The UA is clearly in the code:
https://github.com/jaredhanson/passport-github/blob/4db6a1b1a1c8e416b830afb1a0b852020d234a90/lib/strategy.js

    options.customHeaders['User-Agent'] = options.userAgent || 'passport-github';

What's not clearly in the code is access_token as a query params, also not in the parent passport module.

[Martii]

@thenengah

Nice catch... guess searching the project with GH didn't yield this ~20 minutes moments ago (or maybe missed... going to go AFK cuz it's late).

[thenengah]

So it looks like it might be a bug, but the deprication notice from GH is a misnomer.

GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter for OAuth user authentication or a client_id/client_secret query parameter for OAuth application authentication. All authentication to the GitHub API should be done using

or a client_id/client_secret query parameter for OAuth application authentication

So it looks like it could also be client_id & client_secret somewhere in the chain.

😴

[thomasstjerne]

As I understand it, passport-github is unmanaged and has beed forked into passport-github2 maintained by @cfsghost , so maybe it is more likely to be addressed there

[rodikh]

I've received a similar email regarding the use of access_token in a /user/emails api call with the passport-github User-Agent.

Upon investigating, I realised that passport-github.Strategy inherits from the passport-oauth2.OAuth2Strategy which in turn uses an oauth2 client.
Somewhere further down the line, the oauth2 request handler appends the access_token query parameter to any requests that are missing an Authorization header, which incidentally, includes the '/emails' request that is being made in the passport-github.Strategy.userProfile method.

[rodikh]

I've only tested it for my own Github App, but merely adding an "Authorization": 'token ${access_token}' header to the /emails request will not break the request, and might address the issue of using a deprecated query parameter.

https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#web-application-flow
(as described in step 3. Use the access token to access the API)

[ashvin777]

Received this 😞

On February 4th, 2020 at 01:17 (UTC) your application (xxxx) used an access token (with the User-Agent passport-github) as part of a query parameter to access an endpoint through the GitHub API.

https://api.github.com/user/emails

Please use the Authorization HTTP header instead as using the access_token query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

Thanks,
The GitHub Team

Any update guys?

[ashvin777]

Looks like this repo has been deprecated as per PassportJS.

We should be using passport-github2 package.

http://www.passportjs.org/packages/passport-github2/

[devinmcinnis]

Note: I haven't tested any of this so take it with a grain of salt.

If your email only mentions /user, being on 1.1.0 or later should fix the problem since this package, by default, doesn't use query params.

passport-github/lib/strategy.js

Line 65 in c103215

this._oauth2.useAuthorizationHeaderforGET(true);

If the email mentions /user/emails, you can wait until a fix (#76) is merged into this package or switch to passport-github2. It looks like it has been updated to always send requests using headers rather than query params.

passport-github

passport-github/lib/strategy.js

Line 138 in 4db6a1b

self._oauth2._request('GET', self._userProfileURL + '/emails', { 'Accept': 'application/vnd.github.v3+json' }, '', accessToken, function(err, body, res) {

https://github.com/ciaranj/node-oauth/blob/a7f8a1e21c362eb4ed2039431fb9ac2ae749f26a/lib/oauth2.js#L115

passport-github2
https://github.com/cfsghost/passport-github/blob/37f67054c38b441b57af9a3156519004308dbeb5/lib/strategy.js#L127

https://github.com/ciaranj/node-oauth/blob/a7f8a1e21c362eb4ed2039431fb9ac2ae749f26a/lib/oauth2.js#L219-L223

[k4m4]

@jaredhanson Any updates on this?

[drupal-spider]

Got the email today.
At the end of that email, there is a link to following document.
https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/

[emwalker]

As people have noted, and as evidenced by the PR from @rodikh that was ignored, this repo appears to be unmaintained. So best to look elsewhere to fix the GitHub deprecation warning. I will give passport-github2 a try.

[joeycozza]

@emwalker did going to passport-github2 solve your issue? From glancing at their code, it is still doing the same this._oath2.get() call with the accessToken, instead of setting the Authorization header like the PR here does. https://github.com/jaredhanson/passport-github/pull/76/files

[emwalker]

@joeycozza going to passport-github2 solved the immediate issue that brought me here. In my case the project is a side project, and I did not dig into the implementation to determine whether passport-github2 is doing things securely or correctly. But it did make the warning go away.