Skip to content

Instantly share code, notes, and snippets.

@sgolemon

sgolemon/gist:0e1ea13a16d21098e73f

Last active August 29, 2015 14:23
Show Gist options
  • Save sgolemon/0e1ea13a16d21098e73f to your computer and use it in GitHub Desktop.
Save sgolemon/0e1ea13a16d21098e73f to your computer and use it in GitHub Desktop.
Download ZIP
Questionable use of GitHub APIs
Raw
gistfile1.md

Over-reacted to second hand info and misinterpreted docs.

I do think OAuth providers (like Github, Twitter, Facebook, etc...) should do more to discourage apps from requesting write access. It PARTICULARLY disturbs me that admin:public_key is even an option in Github's Scopes. So the potential for disasterous outcomes certainly exists when granting access to apps via Github's OAuth system, but provided that you carefully read what you're granting access to, it's not necessarily as bad a my original post (left intact below) made it out.

During a twitter conversation[1] this morning, I discovered that in order for an application to get something as simple as your name during a single-sign on, it has to ask for full user profile information. That's a bit scary by itself, but when asking for full profile information, it also has to ask for read and WRITE permissions.[2]

Yes, in order to use single-signon to a 3rd party site, I have to give that site the rights to modify my email address list. A malicious site might otentially insert an address they control, which for an account without 2-factor authentication, means an easy take-over, and subsequent ability to poison any repos you control.

In OSS development circles, we call this "worst case scenario". Well done, GitHub.

1 - https://twitter.com/SaraMG/status/614518376572936192 2 - https://developer.github.com/v3/oauth/#scopes

@sgolemon
Copy link
Author

Update: It may be that 'user' doesn't include write access to 'user:email', but the clowniness of granting ANY degree of write access to random 3rd party apps stands.

@jasonrudolph
Copy link

If I'm understanding correctly, you're wanting to get the user's name, but you don't want to ask for any privileged access to the user's GitHub account. Is that right?

If so, you should be able to accomplish that by asking for a scopeless token. See the "(no scope)" section in the OAuth section of the GitHub API docs. A scopeless token:

Grants read-only access to public information (includes public user profile info, public repository info, and gists)

Once you have a scopeless token, you can use that token to fetch the public profile data for the user. You can see that in action in the request below. In the response, note that the X-OAuth-Scopes header is empty (indicating that it's a scopeless token), and note that the "name" attribute provides the user's name.

Does that help?

$ curl -i -H "Authorization: token REDACTED" https://api.github.com/user

HTTP/1.1 200 OK
Server: GitHub.com
Date: Fri, 26 Jun 2015 20:03:31 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1314
Status: 200 OK
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4997
X-RateLimit-Reset: 1435352611
Cache-Control: private, max-age=60, s-maxage=60
Last-Modified: Fri, 26 Jun 2015 19:01:08 GMT
ETag: "23eb98773ce281d66227a26e6f608e1b"
X-OAuth-Scopes:
X-Accepted-OAuth-Scopes:
Vary: Accept, Authorization, Cookie, X-GitHub-OTP
X-GitHub-Media-Type: github.v3
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny
Content-Security-Policy: default-src 'none'
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
Access-Control-Allow-Origin: *
X-GitHub-Request-Id: AE6D3641:1224:245B86:558DB013
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Content-Type-Options: nosniff
Vary: Accept-Encoding
X-Served-By: 065b43cd9674091fec48a221b420fbb3

{
  "login": "jasonrudolph",
  "id": 2988,
  "avatar_url": "https://avatars.githubusercontent.com/u/2988?v=3",
  "gravatar_id": "",
  "url": "https://api.github.com/users/jasonrudolph",
  "html_url": "https://github.com/jasonrudolph",
  "followers_url": "https://api.github.com/users/jasonrudolph/followers",
  "following_url": "https://api.github.com/users/jasonrudolph/following{/other_user}",
  "gists_url": "https://api.github.com/users/jasonrudolph/gists{/gist_id}",
  "starred_url": "https://api.github.com/users/jasonrudolph/starred{/owner}{/repo}",
  "subscriptions_url": "https://api.github.com/users/jasonrudolph/subscriptions",
  "organizations_url": "https://api.github.com/users/jasonrudolph/orgs",
  "repos_url": "https://api.github.com/users/jasonrudolph/repos",
  "events_url": "https://api.github.com/users/jasonrudolph/events{/privacy}",
  "received_events_url": "https://api.github.com/users/jasonrudolph/received_events",
  "type": "User",
  "site_admin": true,
  "name": "Jason Rudolph",
  "company": "",
  "blog": "http://jasonrudolph.com",
  "location": "North Carolina, USA",
  "email": "",
  "hireable": false,
  "bio": null,
  "public_repos": 28,
  "public_gists": 27,
  "followers": 197,
  "following": 0,
  "created_at": "2008-03-13T15:02:53Z",
  "updated_at": "2015-06-26T19:01:08Z"
}

@sgolemon
Copy link
Author

Hopefully @Imgur looks at this and can comment. It certainly seems like a much saner approach to reading what is already public info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment