Lists and filters and snoozing pull requests, oh my! This is an app for managing your notifications on GitHub by way of filtering issues and pull requests that are of interest to you.
This was originally brought up in #3 but we punted in favor of requiring users to give us a personal access token they created themselves. I wrote up in https://github.com/cheshire137/gh-notifications-snoozer/pull/102#issuecomment-254056398 our options for doing OAuth with an Electron app. I think we want to use implicit grant flow so the app doesn't have to store a client secret. That means we will need the app to spin up a proxy server at a particular port so we can set up an OAuth app on GitHub to redirect back to localhost at that port.
I also don't want the app to seem shady by displaying the GitHub login page in the app. We should open the user's default browser to let them sign into GitHub and authorize the app.
I think the app does not need to keep a proxy server running all the time, just when the user goes to authenticate with GitHub. I think the flow could go like this:
We configure a GitHub OAuth app to redirect back to, say, localhost:3456 after authentication.
User clicks button in app to sign into GitHub.
App spins up proxy server at localhost:3456.
App opens GitHub in default system browser, passing the app's client ID so the user can authorize the app.
User authorizes app, gets redirected back to localhost:3456 in their browser.
Our server grabs the token from the redirect URL and somehow passes it back to the app. Can the server write to secure storage via keytar and the app read it?
App somehow gets notified key is available, shuts down server, uses key to fetch data for user.
Why use OAuth over a personal access token?
It's less scary for users. It's very familiar to see "sign in with Facebook," "sign in with GitHub," etc. in apps and websites. It's less familiar and also more work for the user to see "go here, create this thing with this particular scope, then copy-paste the mysterious bit of text into this app."
This was originally brought up in #3 but we punted in favor of requiring users to give us a personal access token they created themselves. I wrote up in https://github.com/cheshire137/gh-notifications-snoozer/pull/102#issuecomment-254056398 our options for doing OAuth with an Electron app. I think we want to use implicit grant flow so the app doesn't have to store a client secret. That means we will need the app to spin up a proxy server at a particular port so we can set up an OAuth app on GitHub to redirect back to localhost at that port.
I also don't want the app to seem shady by displaying the GitHub login page in the app. We should open the user's default browser to let them sign into GitHub and authorize the app.
I think the app does not need to keep a proxy server running all the time, just when the user goes to authenticate with GitHub. I think the flow could go like this:
Why use OAuth over a personal access token?
It's less scary for users. It's very familiar to see "sign in with Facebook," "sign in with GitHub," etc. in apps and websites. It's less familiar and also more work for the user to see "go here, create this thing with this particular scope, then copy-paste the mysterious bit of text into this app."