Use user user-name and token for GitHub API calls #2198
Conversation
|
@kenny-evitt Before talking about the code, I'd like to better understand the motivation. I haven't seen this in issues (though I've been less active) and I haven't encountered this issue myself. If this is for one user on gitter and they haven't taken the time to make their case for it on github, I don't think we should be immediately prioritizing it to build. This feature is also somewhat technical e.g. getting an auth token so I don't expect this to be a common user workflow. Probably worth checking if there are other ways to auth besides the url which would then require no change. If there are none, then I'd suggest minimal LT changes to allow GH credentials. |
|
@cldwalker There are a few issues that mention this or seem to involve it:
I created #2196 for the user that mentioned it in Gitter and I was going to point to similar changes, e.g. my adding the Node.js start options behavior, so anyone could work on it. Then I decided 'fuck it, I'll just implement it myself; it shouldn't take long' – and thus this PR. I wasn't prioritizing it as much as trying to kill it off before even adding it to our set of issues. Unfairly of me, I didn't really account for the cost of you or Magnus having to review it – I'm sorry for not doing that. I also don't expect this to be commonly used. But for anyone that is running into it, there's really no workaround available. If their public IP address is being shared (as I'd expect it is for almost everyone), then it's possible they could run into the limit pretty quickly. The TechnologyThere are only three ways to authenticate with GitHub:
[1], [2a], and [3] involve modifying the URL, which you want to avoid, but [2b] requires adding a header to all of the GitHub API requests, so I don't understand how that helps us "require no change". I also can't understand how we could (properly) use OAuth because there's no way for us to keep the client secret (that is generated by GitHub when we register our application with them) secret. The GitHub docs do state:
But I still don't think there's any way for us to get an authentication token securely. The link in the quoted text above starts:
So, we can create OAuth tokens for our not-a-website application, but we have to use Basic Authentication to do so. I'm also unclear about what credentials we're expected to or supposed to use. Whatever credentials we use, we can't really secure them if they're distributed with the LT app code. This blog post describes authenticating via OAuth in an Electron app too: But the author admits that the GitHub application client secret is stored in the Electron app .asar package (and that's not secure). I can't figure out how we could securely authenticate with OAuth. I asked a question on Stack Overflow about it too: It's very possible I'm an idiot and I'm missing something about how it's supposed to work or capable of working. |
Implements #2196
@cldwalker @rundis How's this look?