We've been getting emails like this to build.snapcraft.io's service address:
Hi @build-snapcraft-io,
On February 6th, 2020 at 21:33 (UTC) your application (Snapcraft) used its `client_id` and `client_secret` (with the User-Agent SnapcraftBuild) as part of a set of query parameters to access an endpoint through the GitHub API:
https://api.github.com/repositories/155483798/contents/snap/snapcraft.yaml
Please use Basic Authentication instead as using OAuth credentials in query parameters has been deprecated.
Depending on your API usage, we'll be sending you this email reminder at most once every 3 days.
Just one URL that was accessed with a User-Agent combination will be listed in the email reminder, not all.
Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.
Thanks,
The GitHub Team
See src/server/helpers/github.js: we use this approach in a few places where user auth isn't available and we have to use service auth. https://developer.github.com/v3/auth/#via-oauth-and-personal-access-tokens describes an approach to using OAuth access tokens via basic auth, but I haven't tested whether the same sort of approach works for OAuth application authentication rather than OAuth user authentication (can the client_id be used as a username?). This needs testing.
(We also pass client_id and client_secret as query parameters in src/server/handlers/github-auth.js, but note that this does not seem to be what the GitHub deprecation is talking about; that's part of the OAuth web flow, and those parameters are documented as required in that context.)
We've been getting emails like this to build.snapcraft.io's service address:
See
src/server/helpers/github.js
: we use this approach in a few places where user auth isn't available and we have to use service auth. https://developer.github.com/v3/auth/#via-oauth-and-personal-access-tokens describes an approach to using OAuth access tokens via basic auth, but I haven't tested whether the same sort of approach works for OAuth application authentication rather than OAuth user authentication (can theclient_id
be used as a username?). This needs testing.(We also pass
client_id
andclient_secret
as query parameters insrc/server/handlers/github-auth.js
, but note that this does not seem to be what the GitHub deprecation is talking about; that's part of the OAuth web flow, and those parameters are documented as required in that context.)