Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation for authentication via URL query parameters #83

Closed
ybiquitous opened this issue Feb 4, 2020 · 3 comments · Fixed by #84
Closed

Deprecation for authentication via URL query parameters #83

ybiquitous opened this issue Feb 4, 2020 · 3 comments · Fixed by #84

Comments

@ybiquitous
Copy link

@ybiquitous ybiquitous commented Feb 4, 2020

Hi! I've received the following email from GitHub since yesterday:

Subject: [GitHub API] Deprecation notice for authentication via URL query parameters

Hello there!

On February 3rd, 2020 at 23:51 (UTC) your application (*****) used an access token (with the User-Agent Faraday v0.17.3) as part of a query parameter to access an endpoint through the GitHub API.

https://api.github.com/user

Please use the Authorization HTTP header instead as using the `access_token` query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

Thanks,
The GitHub Team

See also https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters

I've identified the problem in the following places:

def raw_info
access_token.options[:mode] = :query
@raw_info ||= access_token.get('user').parsed
end

def emails
return [] unless email_access_allowed?
access_token.options[:mode] = :query
@emails ||= access_token.get('user/emails', :headers => { 'Accept' => 'application/vnd.github.v3' }).parsed
end

When I try the following monkey patch on my environment, it works! 🎉

class OmniAuth::Strategies::GitHub
  def raw_info
    access_token.options[:mode] = :header
    @raw_info ||= access_token.get('user').parsed
  end

  def emails
    return [] unless email_access_allowed?
    access_token.options[:mode] = :header
    @emails ||= access_token.get('user/emails', :headers => { 'Accept' => 'application/vnd.github.v3' }).parsed
  end
end

Here is the essential change: ⬇️

-access_token.options[:mode] = :query
+access_token.options[:mode] = :header

I don't want to depend on such a monkey-patch in my codebase, so I'm ready to open a new pull request if you could accept the workaround. 😄

Environment

  • Ruby 2.6.5
  • omniauth (1.9.0)
  • omniauth-oauth2 (1.6.0)
  • omniauth-github (1.3.0)
@ybiquitous

This comment has been minimized.

Copy link
Author

@ybiquitous ybiquitous commented Feb 6, 2020

Thanks a lot! 🎉

@ssaunier

This comment has been minimized.

Copy link

@ssaunier ssaunier commented Feb 7, 2020

Thanks for the quick fix 🙏

Any plan on pushing a new version to Rubygems?

[EDIT] Oh I see this is being discussed in #84, sorry 🙈

@BobbyMcWho

This comment has been minimized.

Copy link
Member

@BobbyMcWho BobbyMcWho commented Feb 7, 2020

I'll leave this here so folks can find it

#88 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.