I have a website that displays records from a database. I have set up a feedback form so if someone spots a mistake in a record, they can report it so it can be set right. I use a Github Personal Access Token (PAT) to create a Github issue when the form is submitted, and then the appropriate team member is notified. It all works fine, but my questions:
This is potentially opening up the possibility of spam issues being created. How can I catch that? I have also set up a question-answer barrier before the user can submit the form (to determine it is not a robot trying to create fake issues) but, of course, this is not fool-proof.
The PATs seem to expire after a certain period of time. Is there a way to generate a PAT that lasts a long time?
Any other gotchas I should be aware of before I unroll this to public users?
The PATs seem to expire after a certain period of time. Is there a way to generate a PAT that lasts a long time?
As documented, a PAT only expires if you selected an expiration period at its creation:
For creating issues, make sure you have selected only the scope public_repo or repo permission on your Personal Access Token.
public_repo will only grant the ability to manipulate public repositories.
repo will grant the ability to manipulate all repositories you have access to.
Note sure about issue spam, except for reporting those when you see them.
Related
I am writing a Github App that is able to create repositories in an installation.
When the App acts on behalf of an authenticated user, I would like to check that the user can (by themselves) create a repository in the org.
I have spent a lot of time on GitHub's API docs, but I cannot find the answer.
My first thought was that this info should be available in the endpoint /user/installations. The endpoint lists the installations that the user can access (either as a member of an organization or as an external collaborator). However, the permissions returned with each entry are actually the permissions for the App, not for the user. So, this is a dead end.
Another direction was looking at the (public+private) organizations of the user using /user/orgs.
(This does not seem the right direction because as an App I would expect to operate only on installations...)
With this endpoint, I can get all the organizations of the user. However, I don't get whether they can create repos and/or what the role of the user is in the organization.
Should I use the teams/roles part of the API?
My App doesn't ask for the members suite of permissions so I would like to avoid this road.
At this point, the only workarounds are:
Try to create the repo as the user, take note if it fails. Bad solution because I don't want to tell the user that they can create a repo if they can't.
In the background, try to create a repo as the user to check if it possible. If it is, delete the repo. This works but it seems an ugly workaround.
Any suggestion?
If I mention an external user in a private repo, does that grant them access to the conversation/branch/repo? And if so, does removing the conversation will withdraw the access?
No, a user's access is not modified by whether you mention them. For example, if at work I mention a former colleague (e.g., “That was written by #octocat, who's no longer here.”), that user does not get notified at all and doesn't get any access to that repository.
Doing so would be tricky because it would allow people to gain access even when they definitely should not have access (former employees, project members who have been asked to leave for inappropriate behavior, etc.).
Other than emailing everyone and asking them (and hoping they respond), how do I get a list of which of my organization's members have created personal access tokens?
My immediate use for this is a rather sad one: Github only supports API tokens with write access bound to users. In years past, some people have created automatic processes using their private access token; this happens in early-stage startups. Occasionally we have the problem of people leaving under suboptimal conditions, so to speak, and of course when their credentials get revoked, something breaks.
I don't believe GitHub provides this information, so you'll have to email and ask.
However, because GitHub is deprecating password authentication for Git, almost every user will have a PAT. Even before this, they were required for everyone with 2FA using HTTPS, and because many organizations require 2FA, that practically means everyone will have them unless they're using SSH exclusively. So the answer this question doesn't really tell you anything related to your intended goal, since the likely answer is “everyone.”
What I would do in this case is create a bot or machine account with its own email address tied to your company's domain, and then rotate tokens individually using that account. If you need to keep track of which ones are rotated and which aren't, hash the ones you've issued with the machine account with SHA-256 and store them in a list. If the hashed token is in the list, then it's been rotated; otherwise, it hasn't.
I am using Github Enterprise v2.13.5 and want to activate dormant users. Currently Github automatically activates the dormant user when they log back in. But I need to explicitly activate all dormant users
The /users API does not tell us whether a User is dormant or not. There are some manual workarounds for at least identifying the inactive users , but most that I found are not feasible in practice.
If you do not need any information on which user was dormant, you could write a little script that automatically creates impersonation tokens for each user and (in their name) do one arbitrary action on Github:
With your account, create a project [yourname]/un-dormant-project
For each known user (get via /users API):
a. Create an impersonation token
b. In the name of the user, perform an arbitrary action on [yourname]/un-dormant-project
c. Delete impersonation token
I assume that you must not delete the project you created because otherwise the users will become dormant again very quickly.
Disclaimer: I did not try this approach out.
We've set up a Github app so that it automatically forks a repository for another individual Github user using the Github API. Now we're running into a problem that not everyone wants to give us full read access to all of their private repositories since sometimes they contain sensitive data.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Unfortunately, this is not available yet. This feature is still under development as you can see in the Gihub Apps roadmap (and note that I am talking about Github Apps, not OAuth Github Apps). I don't know if this will ever be possible in OAuth Apps but it seems that it might in Github Apps.
There is already a discussion about this at the dear github repository. You should check for news there.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Not that I know of: it is easier to setup a new dedicated GitHub account where you would recreate the private repos you want to give access to.
In that new account, you can consider all the private repos can be accessed.
You would keep the really private ones (with sensitive information) in your original GitHub account.
I believe you're looking for X-OAuth-Scopes. This is a well-defined header so that you may restrict your access scope to, for example, public repositories only.
The github developer documentation here says:
... space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.