search

app-generator / appseed-v2

AppSeed - The New Core | Work In Progress
https://app-generator.dev
Other
9 stars 1 forks source link

URGENT: Github Sign IN requires user authorization to access EVERYTHING in their account #195

Closed csala closed 2 weeks ago

csala commented 2 weeks ago

I just stumbled upon the https://app-generator.dev/ website and tried clicking on the Github Sign IN button.

In the Github consent page I was warned about AppSeed requesting access to absolutely everything from my Github: public and private repos, settings, deploy keys...

image

If this is intentional it is a huge red flag. If this is a mistake it is even worse, because it may put your users at risk.

I suggest that you urgently address this and revoke any access that any user may have already granted.

app-generator commented 2 weeks ago

Hello @csala

Noted the above. The platform aims to empower the users to:

We are looking for a solution to enable only the login, at first, and later let the user add permissions:

Allowing users to add their GH key, might be a solution.

Being an Opensource App Generator anyone can check transparently what happens with the business logic.

In case you have the time, feel free to join the Discord community and chat 1-1 with the support

https://discord.gg/fZC6hup

Thanks for the feedback.

app-generator commented 2 weeks ago

Fixed in v1.0.14

@csala please check now.

TY!

csala commented 2 weeks ago

Thanks for the quick reaction time @app-generator!

Yes, I understand what you mention about wanting the platform to be able to handle everything on behalf of the user, but giving access to everything up front, including unrelated repos and orgs, feels way too intrusive and insecure.

What you suggested (and already implemented) about getting the minimal user information initially and then figure out deeper permissions when needed sounds much better :-)

As a suggestion, apart from GH Keys to act on behalf of the user, you may consider an alternative route: Have a bot user (maybe just this one, @app-generator) which users can invite into the organizations or repositories which they want the App Generator to manage, then they can cherry pick what they give it access to. I'm not really sure if this would be simpler for the user or more flexible than issueing personal access tokens, but just dropping the suggestion for you to consider it.

In case you have the time, feel free to join the Discord community and chat 1-1 with the support

https://discord.gg/fZC6hup

I'm already there, csaladev. Happy to chat there if I can be of more help.

app-generator commented 2 weeks ago

Great suggestion @csala we will try it.

besides the permissions, the service can be used via CLI or API. For instance, anyone can generate a Django Codebase using the CLI (soon to be added to the DOCS)

https://github.com/app-generator/appseed-v2?tab=readme-ov-file#cli-interface

$ python manage.py generator -i # Print HELP 
$ python manage.py generator -f sources/input-template-volt.json

Like this, all platform features can be used without an account on the App-Generator domain.

Thanks again for yr feedback.