Permalink
Browse files

Use password once to get OAuth token, and forget

Github provides a simple way to create an OAuth token using Basic Auth:
http://developer.github.com/v3/oauth/#create-a-new-authorization

This enables Gist.vim to ask users' password once on first use, and
store only the obtained token for later.  User can easily revoke the
token and create a new one at anytime, so this is much more secure.
Forcing them to create their own Github application and exchanging
client ID and secrets is totally a nonsense given this simple way to get
the same token. :)
  • Loading branch information...
netj committed Jul 8, 2012
1 parent 3e02137 commit 91117196361bddf9ac571ec01806aef312bcc52e
Showing with 44 additions and 91 deletions.
  1. +7 −24 README.mkd
  2. +25 −37 autoload/gist.vim
  3. +12 −30 doc/gist-vim.txt
View
@@ -190,31 +190,14 @@ If you want to uninstall gist.vim, remember to also remove `~/.gist-vim`.
## Setup:
-This plugin uses github API v3. Setting value is stored in `~/.gist.vim`.
+This plugin uses github API v3. Setting value is stored in `~/.gist-vim`.
gist-vim have two ways to access APIs.
-### Basic Auth
+First, you need to set your Github username in global git config:
-Require github user ID and password. This is easy but not secure.
+ $ git config --global github.user Username
-### OAuth2
-
-1. Register your application.
-
-Note that you must set `Callback URL` as same as following.
-
-https://github.com/settings/applications/new
-
-fill like following
-
-![](http://mattn.github.com/gist-vim/static/image/setting1.png)
-
-2. Start `:Gist -l`
-
-You'll see some prompts. fill ClientID/CilentSecret. Then you can see browser show up.
-
-![](http://mattn.github.com/gist-vim/static/image/setting2.png)
-
-This is a PIN code.
-
-Copy this value and paste to prompt `PIN:`.
+Then, gist.vim will ask for your password to create an authorization when you
+first use it. The password is not stored and only the OAuth access token will
+be kept for later use. You can revoke the token at any time from the list of
+["Authorized applications" on Github's "Account Settings" page](https://github.com/settings/applications).
View
@@ -9,6 +9,8 @@
let s:save_cpo = &cpo
set cpo&vim
+let s:configfile = expand('~/.gist-vim')
+
if !exists('g:github_user')
let g:github_user = substitute(system('git config --get github.user'), "\n", '', '')
if strlen(g:github_user) == 0
@@ -122,6 +124,9 @@ function! s:GistList(gistls, page)
bw!
redraw
echohl ErrorMsg | echomsg content.message | echohl None
+ if content.message == 'Bad credentials'
+ call delete(s:configfile)
+ endif
return
endif
@@ -620,9 +625,8 @@ function! s:GetAuthHeader()
return printf("basic %s", webapi#base64#b64encode(g:github_user.":".password))
endif
let auth = ""
- let configfile = expand('~/.gist-vim')
- if filereadable(configfile)
- let str = join(readfile(configfile), "")
+ if filereadable(s:configfile)
+ let str = join(readfile(s:configfile), "")
if type(str) == 1
let auth = str
endif
@@ -634,41 +638,25 @@ function! s:GetAuthHeader()
redraw
echohl WarningMsg
echo 'Gist.vim requires authorization to use the Github API. These settings are stored in "~/.gist-vim". If you want to revoke, do "rm ~/.gist-vim".'
- echohl ErrorMsg
- echo 'Be sure to run "chmod 600 ~/.gist-vim" after finishing setup.'
echohl None
- let api = inputlist(['Which API:', '1. basic auth', '2. oauth2'])
- if api == 1
- redraw | echo "\r"
- let password = inputsecret("Password:")
- let secret = printf("basic %s", webapi#base64#b64encode(g:github_user.":".password))
- call writefile([secret], configfile)
- return secret
- elseif api == 2
- let auth_url = "https://github.com/login/oauth/authorize"
- let access_token_url = "https://github.com/login/oauth/access_token"
- redraw | echo "\r"
- let client_id = input("ClientID: ")
- redraw | echo "\r"
- let client_secret = input("ClientSecret: ")
- let url = auth_url."?scope=gist&client_id=".client_id
- call s:open_browser(url)
-
- let pin = input("PIN: ")
- redraw | echo ''
- let res = webapi#http#post(access_token_url, {"client_id": client_id, "code": pin, "client_secret": client_secret})
- let secret = ''
- for item in split(res.content, '&')
- let token = split(item, '=')
- if len(token) == 2 && token[0] == 'access_token'
- let secret = printf("token %s", webapi#http#decodeURI(token[1]))
- break
- endif
- endfor
- call writefile([secret], configfile)
- return secret
- endif
- return ""
+ redraw | echo "\r"
+ let password = inputsecret("Github Password for ".g:github_user.":")
+ let insecureSecret = printf("basic %s", webapi#base64#b64encode(g:github_user.":".password))
+ let res = webapi#http#post('https://api.github.com/authorizations', webapi#json#encode({
+ \ "scopes" : ["gist"],
+ \ "note" : "Gist.vim on ".hostname(),
+ \ "note_url" : "http://www.vim.org/scripts/script.php?script_id=2423"
+ \}), {
+ \ "Content-Type" : "application/json",
+ \ "Authorization" : insecureSecret,
+ \})
+ let authorization = webapi#json#decode(res.content)
+ let secret = printf("token %s", authorization.token)
+ call writefile([secret], s:configfile)
+ if !(has('win32') || has('win64'))
+ call system("chmod go= ".s:configfile)
+ endif
+ return secret
endfunction
let s:extmap = {
View
@@ -207,46 +207,27 @@ SETUP *gist-vim-setup*
This plugin uses github API v3. Setting value is stored in `~/.gist.vim`.
gist-vim have two ways to access APIs.
-|BasicAuth|
-
- Require github user ID and password. This is easy but not secure.
- You need to set global git config:
+First, you need to set your Github username in global git config:
>
$ git config --global github.user Username
<
- If you want to use password written in ~/.gitconfig like below:
+Then, gist.vim will ask for your password to create an authorization when you
+first use it. The password is not stored and only the OAuth access token will
+be kept for later use. You can revoke the token at any time from the list of
+"Authorized applications" on Github's "Account Settings" page.
+(https://github.com/settings/applications)
+
+If you happen to have your password already written in ~/.gitconfig like
+below:
>
[github]
password = xxxxx
<
- Add following into your ~/.vimrc
+Then, add following into your ~/.vimrc
>
let g:gist_use_password_in_gitconfig = 1
<
-|OAuth2|
-
- 1. Register your application.
-
- Note that you must set `Callback URL` as same as following.
-
- https://github.com/settings/applications/new
-
- fill like following
-
- Callback URL should be http://mattn.github.com/gist-vim
- If you don't want to point this site, use URL parameter 'code' as PIN.
-
- 2. If you haven't already set up your github user in .gitconfig:
->
- $ git config --global github.user Username
-<
-
- 3. Start `:Gist -l`
-
- You'll see some prompts. fill ClientID/CilentSecret. Then you can see
- browser show up.
- If you set Callback URL above, you can see PIN code.
- Copy this value and paste to prompt `PIN:`.
+This is not secure at all, so strongly discouraged.
==============================================================================
THANKS *gist-vim-thanks*
@@ -265,5 +246,6 @@ THANKS *gist-vim-thanks*
steve
tyru
Will Gray
+ netj
vim:tw=78:ts=8:ft=help:norl:

0 comments on commit 9111719

Please sign in to comment.