Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(app/web): bypass metrics.api.github.overuse with OAuth #1171

Merged
merged 3 commits into from
Aug 6, 2022
Merged

feat(app/web): bypass metrics.api.github.overuse with OAuth #1171

merged 3 commits into from
Aug 6, 2022

Conversation

lowlighter
Copy link
Owner

@lowlighter lowlighter commented Aug 2, 2022
edited

The aim of this PR is to lets users authenticate themselves on a web instance through GitHub with OAuth so they can use their own token (instead of the shared one).

When authenticated, the metrics.api.github.overuse restriction would automatically be lifted allowing users to use plugins that consume much more API requests.

It could also lead to additional features that would be available only when logged but not sure about this yet.

This PR also brings some UI changes, and also make it clearer which options are supported by the web instance depending on set policy

image

  • Display deprecated plugins
  • Display search API quota
  • GitHub OAuth
    • Signin button and process
      • Explain what signin is for
      • Allow some scopes configuration ?
      • Hide button if unconfigured
    • Supports session
    • Supports using custom octokit to use logged user API quotas
    • Display login if using custom octokits
    • Custom extras permissions
      • When logged
    • Check for logout/revokation
  • Display unsupported options due to missing extras permissions
  • UI changes
    • Group plugins options
    • Clearer delimitations between plugins

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 2, 2022
View reviewed changes
source/app/web/instance.mjs
return {login, graphql: octokit.graphql.defaults({headers: {authorization: `token ${token}`}}), rest: new OctokitRest.Octokit({auth: token})}
}
else if (session)
console.debug(`metrics/app/session > unknown session ${session.substring(0, 6)}, using default octokit`)

Check failure

Code scanning / CodeQL

Log injection

[User-provided value](1) flows to log entry. [User-provided value](2) flows to log entry. [User-provided value](3) flows to log entry.
source/app/web/statics/oauth/redirect.html
<body>
Redirecting...
<script>
const query = new URLSearchParams(location.search)

Check failure

Code scanning / CodeQL

SQL database query built from user-controlled sources (experimental)

(Experimental) This may be a database query that depends on [a user-provided value](1). Identified using machine learning.
source/app/web/instance.mjs Fixed Show fixed Hide fixed
source/app/web/instance.mjs Fixed Show fixed Hide fixed
source/app/web/instance.mjs Fixed Show fixed Hide fixed
source/app/web/statics/oauth/redirect.html Fixed Show fixed Hide fixed
source/app/web/statics/oauth/redirect.html Fixed Show fixed Hide fixed
source/app/web/statics/embed/index.html Fixed Show fixed Hide fixed
@lowlighter lowlighter mentioned this pull request Aug 2, 2022
Merged
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 6, 2022
View reviewed changes
source/app/web/statics/oauth/redirect.html
localStorage.setItem("session.metrics", session)
const to = query.get("to")
if (to)
window.location.href = to

Check warning

Code scanning / CodeQL

Client-side cross-site scripting

Cross-site scripting vulnerability due to [user-provided value](1).
source/app/web/statics/oauth/redirect.html
localStorage.setItem("session.metrics", session)
const to = query.get("to")
if (to)
window.location.href = to

Check warning

Code scanning / CodeQL

Client-side URL redirect

Untrusted URL redirection due to [user-provided value](1).
@lowlighter lowlighter marked this pull request as ready for review August 6, 2022 04:07
@lowlighter lowlighter merged commit 587ceec into master Aug 6, 2022
@lowlighter lowlighter deleted the feat-oauth branch August 6, 2022 04:09
@github-actions github-actions bot locked and limited conversation to collaborators Aug 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
☑️ archived 🧱 core 📊 metrics embed ✨ metrics insights
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@lowlighter