Possible security flaw, leaking access token

[ergunsh]

Hey, thank you for this awesome extension! 🎉

My concern is; we need to add our github access token with repo permission to configuration file. So that any extension can read it. As a result of this, an evil extension developer can take our personal access token and breach into our private repository.

What do you think about this problem, can there be a more secure way to authenticate the extension?

[rebornix]

@ergunsh thanks for your feedback. Putting tokens in the configuration is not a perfect solution, we will visit this while pushing this extension forward.

At this moment, github.accessToken is a not must. If your local git credential manager (the one ships with Git) already remembers your credentials, we will use that when there is github.accessToken available. The only catch here is, if you don't have saved credentials and no github token, we don't have a way to do authentication yet.

[ergunsh]

Thanks for your information.