Remove excessive Github oauth scope #94
Conversation
Currently, the Github integration requires lots of privileges. This changes it to require no privileges and only use the user access token to fetch the user's username. All requests are performed by the personal access token provided in `GITHUB_TOKEN`. The personal access token only needs read access to any private mil/mil-electrical repos. The only features which utilize individual users' oauth tokens are `get_user_contributions` and `commits_across_branches`. Their functionality has been tested and can successfully make a report. This change is minimally invasive. Future work: - migrate DB to only contain usernames instead of device codes/oauth tokens - query MIL repositories instead of individual users for their activity - switch application's personal access token to an app token
wingdeans
force-pushed
the
dean-decrease-github-privs
branch
from
9df3a75 to
78dc01c
Compare
|
Can you provide screenshots of what a new member may see when they connect their GitHub account? |
|
|
What's left before this PR can be merged? |
|
@Omnikar @wingdeans I talked to Daniel and apparently the method that this PR uses to fix the OAuth scope issue not feasible because of rate limits that come with using one personal GitHub token for everything. To actually fix this issue I think we'll have to move from OAuth to GitHub Apps instead and I'll make an issue for that soon. |
|
Oh, that's unfortunate. I'm looking forward to this issue being able to be resolved properly soon though. |
|
How many users are we looking to scrape per hour? My back-of-the-napkin calculations give 200 executions, so for 50 users we can regenerate reports 4 times per hour. It doesn't look like switching to Github Apps will increase our tokens past 5,000 unless we pay for Github Enterprise [link].
|
|
We have around ~70 members a semester and ideally we can just scrape right before the deadline each week. So by your calculations using just one GitHub token should be sufficient right? |
|
It should, as long as the user that owns the access token doesn't use up too many tokens (we should be able to make a separate MIL github user to ensure this?) If we need more than 200, there's a lot of room to optimize the requests; we're being quite wasteful right now. |
4 participants
Currently, the Github integration requires lots of privileges. This changes it to require no privileges and only use the user access token to fetch the user's username. All requests are performed by the personal access token provided in
GITHUB_TOKEN. The personal access token only needs read access to any private mil/mil-electrical repos.The only features which utilize individual users' oauth tokens are
get_user_contributionsandcommits_across_branches. Their functionality has been tested and can successfully make a report.This change is minimally invasive. Future work: