search

att / rcloud

Collaborative data analysis and visualization
http://rcloud.social
MIT License
429 stars 141 forks source link

github deprecation client_id/client_secret #2712

Closed gordonwoodhull closed 4 years ago

gordonwoodhull commented 4 years ago

Similar to att/rgithub#1, we are also getting a warning about client_id and client_secret

On February 14th, 2020 at 18:11 (UTC) your application (MyRCloud) used its client_id and client_secret (with the User-Agent R (3.5.1 x86_64-apple-darwin15.6.0 x86_64 darwin15.6.0) - RCloud (http://github.com/att/rcloud)) as part of a set of query parameters to access an endpoint through the GitHub API: https://api.github.com/user Please use Basic Authentication instead as using OAuth credentials in query parameters has been deprecated and will be removed July 1st, 2020.

I think this is the offending code, and their link about basic authentication may actually make sense here.

https://github.com/att/rcloud/blob/570ee40dbed67cbf8e44d3501b6e1a8d955044e4/packages/githubgist/R/do.R#L23-L35

gordonwoodhull commented 4 years ago

I again attempted to follow Basic authentication on Wikipedia and again failed:

eyeMac:rcloud gordon$ git diff packages/
diff --git a/packages/githubgist/R/do.R b/packages/githubgist/R/do.R
index f456baf6..b0570858 100644
--- a/packages/githubgist/R/do.R
+++ b/packages/githubgist/R/do.R
@@ -25,8 +25,7 @@ access.token.githubcontext <- function(query, ctx) {
   result <- POST(paste(rcloud.config("github.base.url"), "login/oauth/access_token", sep=''),
                  config=accept_json(),
                  body=list(
-                   client_id=ctx$client_id,
-                   client_secret=ctx$client_secret,
+                   Authorization=paste("Basic", base64encode(paste0(ctx$client_id, ':', ctx$client_secret))),
                    code=query["code"]))
   l <- list(token=content(result)$access_token)
   if (is.character(ret <- state$redirect) && length(ret) && nzchar(ret[1L]))
Invalid token, could not authenticate with the back-end
s-u commented 4 years ago

No, that's not the reported location (notice that it says /user) - the OAUTH part is doing exactly what the API describes.

The issue is actually elsewhere - rgithub passes client_secret where it shouldn't https://github.com/att/rgithub/issues/2

gordonwoodhull commented 4 years ago

Aha, it's objecting to the query parameters not the body.

Thanks, closing in favor of att/rgithub#2