We use VSTS dashboards and like to use "embedded webpage" widget to display customized information. We do this by linking to a server where we put some code that calls the VSTS rest api. We authenticate using Personal Access Tokens stored on the server(PAT)
To simplify this process we could skip the server and PATs altogether by using the embedded webpage widget and point it to a html file. This html file would contain javascript and perform the api calls to VSTS and display the information. This however is not possible because of CORS restrictions. We would need to provide a PAT to perform CORS which complicates things.
One work around for this is to host the html page in git in VSTS. If we do this the CORS policy would match but it is not possible to get the file from git with content type as text/html so the html is not rendered when put in the widget.
I also tried the IFrame extension which allows iframe from data: URI but data URIs seems to have a different origin so it doesn't transfer the cookie which means it wont authenticate.
I understand there is a security risk that it would be possible to perform api calls on behalf on whoever is viewing the dashboard so it may be by design if it is not possible.
Is is possible to make a VSTS widget in pure html that calls VSTS api without using PATs?
No, you can't, you need to do it in extension html file directly.
Related
Does anyone know if there is any information about how the raw tokens are created?
TLDR is that I want to create links to files (specifically images) from private repos with the raw token attached. I need this to happen automatically, I do not want to "click the raw button" to get the token, that being said I do have access to the logged in users personal access token. Can I use this access token in order to automatically create a raw link with the raw token attached?
Further info:
GHE is a bit broken, and it doesn't seem top of the list from the github developers to fix it. Trying to access images from a different domain results in CORB issues. I can get the files I need using octokit, as mentioned above the users do need to login to GHE, so I have access to their access token.
What I want to do is to show markdown information, I get the markdown file through octokit, but in markdown you can of course link to images. These images will often be stored along with the markdown file in github, resulting in either relative or direct urls in the markdown file. I want to render this markdown file along with whatever images that is specified in the markdown file, but as I mentioned earlier rendering it directly will result in CORB issues.
The idea I had was that I instead could swap these GHE urls to urls with the raw token attached, using a url like that for an image would definitely work, and it does not matter that it isnt a permanent url. On the contrary it is more secure with a temporary token, and the urls would be recreated every time the user hits the page anyway, so no need for permanent links.
If I could use the users auth token to create a link to a raw image it would solve my issues, is this possible? If not, do you have any suggestions on an alternative way to do this?
The only other way I can think of is to create a proxy, that authenticates and fetches the files through octokit and returns them. This would however need to use a service account instead of the currently logged in user, which opens up a security hole where users who shouldn't have access to certain files suddenly can use the proxy instead.
Am I missing something?
Thankful for any help!
No, personal access tokens and other similar tokens can't be used there. If you want to use a personal access token, you have two options:
Use the /repos/OWNER/NAME/contents/ endpoints with Accept: application/vnd.github.raw and pass the token in the Authorization header. This will return the raw file, but it won't use the correct content type, so it probably won't render in the browser, but it can be programmatically downloaded.
Use the same endpoint without that Accept header but with the Authorization header and then you'll get a JSON response with download_url, which contains the correct token for that URL.
Note that all tokens in raw file URLs for private repositories are temporary and expire after a while, or when the user changes their password.
I will recommend that for your purpose, you probably want to deploy these documents and images to some sort of static server on a periodic basis (say, with your CI system) and host them there. That's going to be a lot easier than trying to write a proxy.
EDIT: See comments on Schwern's answer for what I'm looking for in general. It doesn't have to be exactly what I'm asking for in the question
I have a web app which is an editor. I would like users to be able to give me a GitHub file URL, my app would automatically load in the file from GitHub, and then I make a process for them which is as easy as possible to submit that change to GitHub again. Ideally the user wouldn't need to save / upload a file or do any copy/pasting.
GitHub has a URL scheme where you can go to an "Edit" page for a file, make your changes, and then create a PR or create a commit (depending on what you would like to do and your permissions). This is an example:
https://github.com/rails/rails/edit/main/README.md
Looking at the HTML for the form I see that some of the fields have names associated. Using those names I can auto-fill the commit title and description:
https://github.com/rails/rails/edit/main/README.md?message=foo&description=bar
But I can't find a way to automatically fill in/replace the actual contents of the file. Is there a way?
I realize that for some browsers URLs can only be so long (maybe that's not true anymore?), so maybe this isn't perfect. I'd also be open to other suggestions on how to accomplish what I'm looking for.
Don't try to do this via web scraping, it's fragile and slow. Use the Github API.
Specifically, you'd get access via OAuth, get the file, let the user edit it, and then send the edited version.
There is no way to do exactly what you want. The ideal tool for this job is an OAuth App. However, creating one with the GitHub API requires that you store a client ID and a client secret, and there is no secure way to store the client secret in a frontend-only app.
Therefore, you'll need to create a backend to create the OAuth app so that you can issue credentials necessary to use the API on behalf of the user or to push data into the repository via the standard protocols.
As Schwern mentioned, you should not try to do this by driving the GitHub web interface. That isn't a stable interface and may break at any time.
I am just thinking what the best approach is to implement a simple form with file upload on a static website without any backend.
Scenario:
I have static website (NuxtJS) where a form can be filled and files can be uploaded.
To protect this form I wanted to use recaptcha by Google but as I read a little further in their documentation it seems that I need a backend which is a overkill for a static website.
Furthermore I wanted to support file upload... quite complicated without a backend.
What I thought of:
Maybe an existing product which does exactly what I am looking for? Or should I build a AWS Lambda Pipeline (of course with an S3 Bucket) to function as my "backend" for recaptcha and file upload.
Is there any approach which makes this scenario simpler, or am I thinking to complicated at the moment.
Use Case / Flow Chart:
Users enters Website.
Fills out form.
(optional) uploads files
Checks recaptcha
Clicks Send - Sends "Message" in our companies slack channel / or email.
However I solved this "common" task with a custom "backend" hosted on AWS Lambda which makes the whole stuff "serverless".
For those who are interested in "how to setup a server less backend" here's the current flow-chart which I made use of.
As you can see after the recaptcha is validated on client side and a token is generated, it is sent to the AWS API Gateway which triggers a Lambda Function (NodeJS Implementation of a Backend) where the token is validated and for file uploads pre-signed Uris are generated.
Notice: The API Gateway and the S3 Bucket need a valid CORS Configuration to communicate with each other and the world.
Context: The HTML Macro is disabled on my company's Confluence.
Use-case: Embed content returned by an internal web-site.
Example: We have a table that lists various sites we have deployed. We have a Confluence page, with a table describing each, and with a URL to each.
Each site also supports a "/ping" that tells us it is live. Is there a way to embed the (simple textual) response from that ping as another column, without the use of HTML Macro?
Stretch goal: If our REST /ping returns Markup/Markdown ...is there a way to get some minimal formatting?
I am working on sth similar as well that calls a public rest api to aggregate some results on a confluence page.
Anyways, I am guessing the html macro is disabled in your company for security reasons. Since you have a specific rest api endpoints, I would suggest that you can create your own custom plugin with a macro. Design it so that the macro can take a param to know which site endpoint to call server side. You can process your requests and let the macro return a string which you can stylize however you want. This is the simplest and cheapest solution (since you won't be paying license fees for a third party addon), and also most secure since you have control over the code.
Is your confluence instance server or cloud? Have you tried asking in the atlassian community forums?
if your company can disable the free alternative then
use the paid alternative : adaptavist scriptrunner
script macro
How can I view a raw text file on GitHub?
I created an unlisted REPO and inside the repo is a text file.
When I view it in raw format I get exactly what I want. And if I use C# to Download the text of that page, I get what I want.
My only concern is that the link to the github raw file is
https://raw.githubusercontent.com/USERNAME/STUFF/master/version.txt?token=THETOKEN
Does the THETOKEN part ever change? Like can I use this link for the rest of my life to access that raw text file? Or does the link change?
The token part is an auth token so it will work as long as that set of credentials is valid (until you revoke it). However, you should still manage that token as a secret.
If you plan to share this C# program with others you should not share your token with them, since this will give them access to other parts of your GitHub account.
If you want to share this file publicly you should publish it to a public CDN or another service that provides access control. For example you can use Amazon S3 with signed URLs for a few cents a month.