Skip to content

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Sep 15, 2020

With GitHub deprecating their old auth workflow ghauth@5 includes new options, for changelog-maker we're just going to go with the "make your own personal access token" since it's a per-user thing. I don't think there's a way to set one up with the oauth flow without having an app setup for it which I don't think makes sense.

Now when you run it you'll get:

Personal access token auth for Github.                                                                                                                
Enter a 40 character personal access token generated at                                                                                               
https://github.com/settings/tokens with the following scopes: repo                                                                                    
PAT: ✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔✔                                                                                                         
                                                                                                                                                      
✔ Authorized for rvagg                                                                                                                                
Wrote access token to "/home/rvagg/.config/changelog-maker/config.json"                                                                               

Where you have to go to that URL, make a PAT with the right scopes and paste it into your terminal.

Thanks to @bcomnes for adapting ghauth!

@bcomnes
Copy link

bcomnes commented Sep 15, 2020

fwiw, we made an org oauth app for gh-release which is also a per-user tool. If you wanted to do something similar here, you would create a changelog-maker oauth app on the nodejs org, enable device flow beta for that app and bake in the app id to this tool (ignore the client secret). It doesn't need to be listed on marketplace, and you can still bypass device flow to enter in a PAT. oauth tokens live on the users machine the same way the PAT would.

Screen Shot 2020-09-14 at 7 32 11 PM

Users can authorize that app id and request to grant app access to orgs. Slightly more restrictive than PATs, which just get access to everything the user has access to, but a nicer auth UX.

@rvagg
Copy link
Member Author

rvagg commented Sep 15, 2020

I don't think we want changelog-maker to be tied to the nodejs org in any meaningful way, though. It's used mostly in projects in this org but it's also used in unrelated ones. Does hosting an app in this org grant users privs to anything related to this org or is it just a means of identifying an app? It's probably not appropriate for arbitrary users to have any special status in this org, and vice versa - this org probably shouldn't have any special privs to a users' stuff (even just the ability to revoke is a bit awkward!).

I guess one alternative here is to add a --flag of some kind here that would point to an app instead of requesting a PAT.

@bcomnes
Copy link

bcomnes commented Sep 15, 2020

I don't think we want changelog-maker to be tied to the nodejs org in any meaningful way, though.

That would be a valid reason to bypass the oauth device flow if it's what you want/don't want. Device flow would be a good fit for this tool from what I can tell though.

It's used mostly in projects in this org but it's also used in unrelated ones.

Usage of changelog-maker would only be associated with nodejs when the user authorizes with the oauth path. Nodejs would be listed as the owning account of the app, but it could just as well be rvagg/anyone.

Does hosting an app in this org grant users privs to anything related to this org or is it just a means of identifying an app?

Nope, its just an oauth app, owned and managed by the nodejs org. It basically creates a PAT like token, except the scope is managed by the app, and is listed as being generated by the app. Its like a PAT, generated for the user by the nodejs/changelog-maker oauth app. The way ghauth@5 implements this, the token never leaves the local machine, the same way basic auth worked.

It's probably not appropriate for arbitrary users to have any special status in this org, and vice versa - this org probably shouldn't have any special privs to a users' stuff (even just the ability to revoke is a bit awkward!).

If you created an oauth app on your account or the nodejs org, you or nodejs would not get any special access to users data when they authenticate that way, since the tokens never leave their computer. It works very similarly to a PAT, except its an oauth token with scopes managed by an app owned by someone. That someone doesn't ever get the token in this case. Conversely, they don't get any new or special access to the nodejs org.

I guess one alternative here is to add a --flag of some kind here that would point to an app instead of requesting a PAT.

You could definitely expose it that way if you wanted.

My recommendation:

  • Create an oauth app in either the nodejs org or your personal account
  • Bake the client id in to enable device flow.

Unless

  • You don't like the idea of oauth apps on GitHub for whatever reason.
  • There is some kind of issue with nodejs managing an oauth app (too many people have access to mess with it) in which case create the app on your personal account.

@bcomnes
Copy link

bcomnes commented Sep 15, 2020

Sorry, I'm mistaken, scopes are still part of the auth request. They are just tracked along side the app authorization now. If you end up requesting new scopes, the user needs to re-authorize and regrant to their orgs.

@rvagg
Copy link
Member Author

rvagg commented Sep 16, 2020

OK, I'm going to say this is a question for @nodejs/automation folks and @nodejs/releasers who are the main consumers in this org. Perhaps the convenience would be appreciated but it'd be good to do it in a way that doesn't impact people who want to use this or entirely unrelated things. I think for now this works so I'll merge and release this one to make sure we're good with GitHub's changes for now; improvements can come later if others are inclined to pursue it.

@rvagg rvagg merged commit c00c714 into master Sep 16, 2020
@rvagg rvagg deleted the rvagg/ghauth-5 branch September 16, 2020 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants