-
Notifications
You must be signed in to change notification settings - Fork 41
update ghauth@5 with new github auth flow #86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
2a165e4
to
c00c714
Compare
fwiw, we made an org oauth app for gh-release which is also a per-user tool. If you wanted to do something similar here, you would create a changelog-maker oauth app on the nodejs org, enable device flow beta for that app and bake in the app id to this tool (ignore the client secret). It doesn't need to be listed on marketplace, and you can still bypass device flow to enter in a PAT. oauth tokens live on the users machine the same way the PAT would. Users can authorize that app id and request to grant app access to orgs. Slightly more restrictive than PATs, which just get access to everything the user has access to, but a nicer auth UX. |
I don't think we want changelog-maker to be tied to the nodejs org in any meaningful way, though. It's used mostly in projects in this org but it's also used in unrelated ones. Does hosting an app in this org grant users privs to anything related to this org or is it just a means of identifying an app? It's probably not appropriate for arbitrary users to have any special status in this org, and vice versa - this org probably shouldn't have any special privs to a users' stuff (even just the ability to revoke is a bit awkward!). I guess one alternative here is to add a |
That would be a valid reason to bypass the oauth device flow if it's what you want/don't want. Device flow would be a good fit for this tool from what I can tell though.
Usage of changelog-maker would only be associated with nodejs when the user authorizes with the oauth path. Nodejs would be listed as the owning account of the app, but it could just as well be rvagg/anyone.
Nope, its just an oauth app, owned and managed by the nodejs org. It basically creates a PAT like token, except the scope is managed by the app, and is listed as being generated by the app. Its like a PAT, generated for the user by the nodejs/changelog-maker oauth app. The way ghauth@5 implements this, the token never leaves the local machine, the same way basic auth worked.
If you created an oauth app on your account or the nodejs org, you or nodejs would not get any special access to users data when they authenticate that way, since the tokens never leave their computer. It works very similarly to a PAT, except its an oauth token with scopes managed by an app owned by someone. That someone doesn't ever get the token in this case. Conversely, they don't get any new or special access to the nodejs org.
You could definitely expose it that way if you wanted. My recommendation:
Unless
|
Sorry, I'm mistaken, scopes are still part of the auth request. They are just tracked along side the app authorization now. If you end up requesting new scopes, the user needs to re-authorize and regrant to their orgs. |
OK, I'm going to say this is a question for @nodejs/automation folks and @nodejs/releasers who are the main consumers in this org. Perhaps the convenience would be appreciated but it'd be good to do it in a way that doesn't impact people who want to use this or entirely unrelated things. I think for now this works so I'll merge and release this one to make sure we're good with GitHub's changes for now; improvements can come later if others are inclined to pursue it. |
With GitHub deprecating their old auth workflow ghauth@5 includes new options, for changelog-maker we're just going to go with the "make your own personal access token" since it's a per-user thing. I don't think there's a way to set one up with the oauth flow without having an app setup for it which I don't think makes sense.
Now when you run it you'll get:
Where you have to go to that URL, make a PAT with the right scopes and paste it into your terminal.
Thanks to @bcomnes for adapting ghauth!