Oauth login signs me out

[jonathan-fielding]

Hey

I am finding the Oauth login works however it seems to be very temporary and new VScode windows will no longer be logged in. The personal access token method doesn't work for me due to my work Org using SAML login so this isn't an option for me.

Otherwise this plugin looks like exactly what I was looking for, I literally was thinking of creating this plugin but wisely thought about seeing what existed first.

Thanks

Jonathan

[jonathan-fielding]

Apologises, just found the setting, is there any reason that it doesn't save the auth by default?

[SrBrahma]

Hey! Well, I chose to not save it by default to warn the users (as the setting description says) that it isn't very secure to do it.

For now, it surely is, as the extension is not popular at all and would be a waste of time for a malicious user to create a malware to steal people's stored GitHub authentication, as they would only gain read and write access to repositories and they certainly wouldn't catch a victim (as it is not popular).

As the extension is deployed in Javascript, I really couldn't find a way yet to crypto the user auth in a good way to make the auth storage safe. I've been thinking of it even before of this extension deployment, and I really couldn't find a way to do it.

In the VsCode extension dev docs, they mention the [https://github.com/atom/node-keytar](), but I really didn't make any sense to me, as any program or extension could still access the stored auth.

If someone knows a way, help is appreciated!

[jonathan-fielding]

Any encryption that works two ways in a VS Code plugin will be susceptible to security issues, I guess what you could do tho is have the key encrypted using a password tho and have the user unlock the their oauth by entering the password (or if possible use Touch ID on Mac), its slightly less annoying to enter a password than to do a whole oauth again.

[SrBrahma]

Indeed. I also thought of this password solution in the past, but thought no one would would like to enter a* password instead of OAuthing again hehe xD

Well, after I deploy some old stuff here that needs some final touches (that i've been procrastinating for a month :P), I may do it.

Oh, there is also the new GitHub Authing way that a few extension are already using. But I don't know if they are and how they are storing it.

[SrBrahma]

@jonathan-fielding, marked it as a wontfix because If/when I move to the new VsCode Github OAuth system (basically just copy https://github.com/microsoft/vscode-pull-request-github/blob/5d009c2623c6060a7453a53c4ef3c57004c9ef00/src/github/credentials.ts) this password workaround won't be needed.

[SrBrahma]

Finally changed the auth system!