Can GitHub personal access tokens be set to single use only?
I'm reading the GitHub Personal Access Token setup guide. It appears that I create a 'token' to eliminate the need for my 2FA code when using GitHub from the command line.
I want this token to either expire after I use it, or I want the ability to delete it permanently somehow after I use it. Is this possible? Otherwise it seems to defeat the purpose of 2FA because if somebody got my token they could get into my GitHub without 2FA.
There are two options to Delete a single token or Revoke All tokens in Github.
Related
I wanted to push my react project to github, but if I try putting in my username and password, I get this message:
The annoying part is when I try using a personal access token instead, I get the "fatal: unable to access 'https://github.com/samisamara/personalWebpage.git/': The requested URL returned error: 403" error.
I used all saved tokens I had on me (I always remember to save my tokens so I don't lose them) and I even tried to make a new token, but neither worked. So git is making me use my github password instead of a personal access token, but it also requires a personal access token instead. I'm basically locked out of doing any commits, and I have no idea what to do. Does anyone have a solution to this?
I found an answer to this. When you generate a new token, you have to check mark the "repo" checkbox. I didn't check mark that last time, so the key didn't have permission to actually do anything.
I am first time using the vs code for setting up the git.lab on my Mac laptop. While setting up personal access code to my site. I have enter Code it for git.lab.com (Default site) , can you please guide me where this details gets saved in gitlab and how to delete for it.
On Gitlab go to user preferences (top right corner, preferences), then select Access Tokens in the left nav bar.
Or follow this link: https://gitlab.com/-/profile/personal_access_tokens
Search your token under 'Active personal access tokens' and Revoke it.
It is easier with GitLab 15.0 (May 2022):
Revoke a personal access token without PAT ID
In previous versions of GitLab, personal access tokens could be deleted only by the ID.
Because none of the endpoints return an ID from a given value, you couldn’t delete a personal access token if you only had the token value.
You can also now use the personal_access_tokens/self endpoint to
revoke a PAT with a single request.
The endpoint revokes the PAT used to make the request, making it easy to quickly revoke PATs in case of a leak.
Thank you Hemanth Krishna for your contribution!
See Documentation and Issue.
So I wish to use an Emacs plugin called grip-mode, which uses an application called grip under the hood that uses GitHub’s API to render markdown text. But unless an access token (which can have an empty scope) is provided, it hits GitHub’s hourly rate limits. So I want to put an empty-scoped access token for grip-mode. Problem is, my Emacs configuration is stored in a public repository, and so, I want to make sure an access token with an empty scope can’t be used maliciously before I put it in my configuration. So, can an empty-scoped access token be used maliciously? Or is it harmless to use it?
Not a complete answer, but at least one can use the PAT to consume your API limits, either by using the plugin normally or using the token maliciously.
From GitHub docs:
Authenticated requests are associated with the authenticated user, regardless of whether Basic Authentication or an OAuth token was used.
For example they can scrape PATs exposed on GitHub and use the tokens to perform high-rate API calls.
Or if one of your user use the token frequently, all other users will not be able to use the plugin.
Also, GitHub does not recommend using your PAT in this case
I am using forgot password to change my GitHub password, but it's required 2FA credentials and I lost the 2FA app as well. So is there any I can change my password without using 2FA credentials?
A list of possibilities is given in this help page on GitHub.
To summarize, you can recover your account on your own, even after losing your 2FA app, if you (already) have:
A recovery code: you can download and safely keep a list of backup codes for situations like this.
A fallback number: a second phone number associated with your account.
A security key: you can have, for example, a physical USB stick as a security key.
Without this, there are two more methods provided, but will take longer and are not guaranteed to recover your account:
Using a verified device, SSH token, or personal access token: you can apply for account recovery by proving that you are logging in from a device you have used before, or using a SSH or personal access token that has been used before. The request will be then manually considered by GitHub support.
Using an account recovery token on Facebook (if you have set it previously): This also requires manual verification.
In general, to avoid such issues in the future, it would be advisable to download (and perhaps print a physical copy) of recovery codes for each service you use 2FA with, as that would be one of the easiest and fastest ways to recover your account.
The goal: Using my account I would like a server to periodically check the feed of a closed group which I'm a member of.
The problem: To do that I need an access token which I can generate manually but it expires.
What I would like to be able to do: Automatically generate access tokens for my account from the server in some way without manual interaction.
Thanks!
As WizKid commented, it´s not possible to generate Access Tokens on the server. The whole concept of short time Tokens would be useless if that would be possible. You can only extend your User Token to 60 days, read the docs for information about that:
https://developers.facebook.com/docs/facebook-login/access-tokens/
https://developers.facebook.com/docs/php/FacebookSession/4.0.0#getlonglivedsession