Option for PAT based authentication

NirmalScaria / le-git-graph

Browser extension to add git graph to GitHub website.

https://chrome.google.com/webstore/detail/le-git-graph-commits-grap/joggkdfebigddmaagckekihhfncdobff

MIT License

3.13k stars 16 forks source link

Option for PAT based authentication #33

Closed Gakk closed 1 year ago

Gakk commented 1 year ago

Due to security concerns I can not use this on private repositories, as it authenticate directly through your own server.

I suggest you rewrite the plugin to accept a personal access token (PAT), e.g. the same way as the popular Refined GitHub does. If so, a fine grained token could have been supplied, which is more security transparent.

alenkei-pcp commented 1 year ago

+1 for this!

Meital-Zicharevich commented 1 year ago

NirmalScaria commented 1 year ago

Heyy! I almost completed the custom PAT feature and this happened.

Turns out fine graded PAT doesn't yet support GraphQL. But classic tokens work with GraphQL (I tested). So, the only advantage will be, authentication could be completed without involvement of a backend server and without authorising an OAuth app (which were otherwise essential in the case of GitHub auth). I'm not sure what to do. Does this make the whole purpose useless or, should the option be given if anyone wants to use their own classic token? The code is mostly ready in any case. :) Looking forward to your suggestions.

@Gakk @alenkei-pcp @Meital-Zicharevich

Gakk commented 1 year ago

@NirmalScaria Fantastic to hear you have started implementation 🥳👍

I was not aware of the limitation for fine-grained PAT, but this is no show-stopper as GitHub is working on implementing support:

Oct 17, 2022: "There are some limits to fine-grained PATs that we'll be addressing in the comming months; (...) Support for GraphQL" (source)
Oct 20, 2022: "(...) we'll be adding GraphQL support shortly." (source)
Nov 1, 2022: "(...) don't have a great ETA for you right now, but can say it's being worked on actively. Our goal is to have it out by or before March 2023." (source)

All of these quotes are by GitHub employees on the feedback tracking issue for fine-grained PATs: https://github.com/community/community/discussions/36441

And even when using classic tokens, the authentication would still be more transparent and acceptable 😇

NirmalScaria commented 1 year ago

Heyy! I'm happy to let you know this has been implemented. The authentication page options now contain a third option, to choose a custom PAT. And I hope it would work out of the box once GitHub supports Fine Graded PAT for GraphQL.

Thank you so much for the support, @Gakk The release could be expected for FireFox today and in a few days for Chrome.

Gakk commented 1 year ago

Perfect, will test it when the release for Chrome is available 🚀👍

NirmalScaria commented 1 year ago

@Gakk It has been released. Hope you like it. 😌

usuallyno commented 1 year ago

Thank you for the update, which are the minimum permission to let the extension work?

NirmalScaria commented 1 year ago

@usuallyno Sorry for the late response. The minimum required permission is public_repo permission.