search

18F / privacy-tools

GSA PII Dashboard
https://cg-9341b8ea-025c-4fe2-aa6c-850edbebc499.app.cloud.gov/site/18f/privacy-dashboard/
MIT License
2 stars 4 forks source link

[Sprint 4] Try GitHub app auth #44

Closed ondrae closed 4 years ago

ondrae commented 4 years ago

What

We are currently using @ondrae's personal access token to commit data to the dashboard repo. This isn't very secure. A more appropriate way is to authenticate using a GitHub App.

Why

A very small set of people, could take my access token and make nefarious commits, to a small set of repos. They could probably make bad comments on GitHub issues and things too.

How

Use this google script oauth library. Can add as library or

Alternatively, you can copy and paste the files in the /dist directory directly into your script project.

This blog may help.

Notes

My guess is that this makes it harder for Richard to own and delegate the work of keeping the spreadsheet up to date. It would require more instructions and is staff would need to have GitHub accounts.

It is a small security concern, with medium UX burden, with no new value for our partners.

Acceptance

ondrae commented 4 years ago

I have a demo working. Wait for the My GitHub info! menu option to appear and choose it. After authenticating with GitHub, do the menu option again.

In our dashboard case, after authenticating, we could give them a success message with instructions on how and when to check if it worked?

What do you think?