Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requested permissions are too broad #3

Open
fluffynuts opened this issue May 31, 2021 · 5 comments
Open

Requested permissions are too broad #3

fluffynuts opened this issue May 31, 2021 · 5 comments
Assignees
@joncodo

Comments

@fluffynuts
Copy link

If Merico aims to provide metrics for software development I can understand wanting read-access to basically all public information on GitHub, but why does it also request write access? I'm not comfortable handing over global write access to my code on GitHub.

Would it be possible to reduce required permissions to read-only?
@lucasgonze
Copy link
Contributor

Thanks for reporting this. It's a bug.

We intended to redo permissions to only ask for "(no scope)" permissions. Somehow the ticket got closed without being implemented. We'll investigate further.

@joncodo
Copy link

joncodo commented May 31, 2021

You are right.

authGithub: (req, res) => {
    // https://docs.github.com/en/free-pro-team@latest/developers/apps/scopes-for-oauth-apps
    passport.authorize('github', {
      scope: ['user:email', 'public_repo'],
      accessType: 'offline',
      approvalPrompt: 'force',
      state: JSON.stringify({
        isLogin: req.query.login
      })
    })(req, res)
  },

Screen Shot 2021-05-31 at 8 53 15 AM

We will get this in the pipeline to be fixed.

@hezyin
Copy link
Member

hezyin commented May 31, 2021

@fluffynuts Thanks for reporting this. We re-investigated the Github OAuth scopes (docs) and looked for a scope that only allows read-only access to public repos. Unfortunately, there's no such scope available and it seems this has been a known issue for Github OAuth since 2016. In short, Github OAuth doesn't support read-only access to repos. Here is one of the many similar feature requests to Github that I can find on this topic.

We also looked into how other apps that need access to repos handle this. And this doc by CodeClimate also confirmed our research:

The repo and public_repo scopes grant read and write access to code. While we will never write code to your repository, currently these OAuth scopes are the most narrow that GitHub supports for our use case (there is no repo:read e.g.).

So we're already using the most narrow scope that's required for our use case (public_repo). We'll keep an eye out on Github's progress in supporting this but there's not much that we can fix for now.

We'll consider adding help text to explain better why the public_repo scope is needed here. Thanks again for using Merico Build!

@lucasgonze
Copy link
Contributor

@fluffynuts status: our next step is to make a developer build with "no scope" permissions and see if there are any broken features.

@lucasgonze
Copy link
Contributor

read_only permissions are on the way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joncodo joncodo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lucasgonze @hezyin @joncodo @fluffynuts