Github backend requires full organization account access

[cbix]

Describe the bug We want to keep a static site project in a private github repo inside our organization and use netlify-cms for content management. However, the OAuth backend requires full read/write access to all repos of that organization and a more fine-grained selection of grants is not possible.

To Reproduce

1. Create a new private repo inside a github organization with restrictive access (i.e. organization settings → third-party access → policy = access restricted)
2. Set up a Hugo/GatsbyJS/... site with netlify-cms in that repo as described in the guide
3. Configure the github backend for netlify-cms
4. Deploy site on Netlify
5. Create an OAuth2 app for Github authentication as described here
6. Visit the site's netlify-cms backend and click Login with Github

Expected behavior

One would expect that it's possible to restrict netlify-cms access to only the relevant repositories (just like it's possible when setting up a Netlify site from Github).

Screenshots

Applicable Versions:

• Netlify CMS version: netlify-cms-app 2.12.22 / netlify-cms-core 2.30.6
• Git provider: GitHub
• Browser/OS: Chromium Version 85.0.4183.102 (Official Build) Arch Linux (64-bit)
• Node.JS version: node v14.10.1 / npm 6.14.3

CMS configuration

backend:
  name: github
  repo: my-org/my-repo
  branch: master

media_folder: static/img
public_folder: /img

collections:
  - name: 'blog'
    label: 'Blog'
    folder: 'content/blog'
    create: true
    slug: 'index'
    media_folder: ''
    public_folder: ''
    path: '{{title}}/index'
    editor:
      preview: false
    fields:
      - { label: 'Title', name: 'title', widget: 'string' }
      - { label: 'Publish Date', name: 'date', widget: 'datetime' }
      - { label: 'Description', name: 'description', widget: 'string' }
      - { label: 'Body', name: 'body', widget: 'markdown' }

Additional context I am aware that this issue might not be directly related to netlify-cms but to either the Netlify API or the Github OAuth API. Please let me know if I should report this upstream instead, thanks!

Our current workaround is creating a separate Github organization with a single private repo and granting the Netlify Auth Service full access to this organization.

[erezrokah]

Thanks @cbix, we are currently limited by the available scopes for OAuth apps provided by GitHub: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes

It would be amazing to limit the access to a specific repo, but that's not available at the moment If GitHub supports has some more information regarding this I would love to know about it.

[cbix]

Thanks @erezrokah for the quick reply. I had the same issue when evaluating forestry.io so I already considered it an issue with GitHub's API, however with their server-based solution there's the possibility of using deploy keys, which is probably not possible over the web-based API that netlify-cms uses... Anyway, it's good to hear that you are aware of this and it's not the desired way to go ;)

[cbix]

Got this response from the GitHub Developer Support:

Thank you for contacting GitHub Support.

Providing more granular OAuth scopes is already the biggest blip on the API team's radar and it's something we'd love to do. However, we can't make promises about if and when this might be available -- the API team is rolling out additional scopes as they are completed.

The best way to keep track of changes is to follow the API blog.

https://developer.github.com/changes/

Improving this situation about scopes is something the team has been working on. You might want to check out the recently-announced GitHub Apps (formerly Integrations) feature:

https://docs.github.com/developers/apps

GitHub Apps allow per-repository access and more finely-grained scopes. If you have any other follow-up questions about the GitHub API, OAuth Apps, or GitHub Apps, we recommend checking out our new GitHub API Development and Support Board:

https://github.community/c/github-api-development-and-support/37

Please let us know if you need any further help. [...]

I guess implementing a server-side GitHub app that provides API tokens to the client-side netlify-cms app means a significant amount of work. Also it seems like GitHub apps behave like a separate user so a big open question is if and how it's possible to a) authenticate a Github user towards the app and b) let the netlify-cms frontend create commits in the name of the authenticated user, without going through any server-side code and while still keeping the (very useful) possibility to restrict some users to only creating pull requests on the repo.

[erezrokah]

Great follow up @cbix, very good to know GitHub is moving on this. I think there is a bigger pain here for any programmatic usage of GitHub's API since personal access tokens are also not limited to a specific repo, and creating a GitHub app just to have some GitHub automation is not ideal.

[prakis]

Netlify CMS still require full access to all repos, its not nice.

[austinschrader]

This is a huge issue, obviously. I can't grant Netlify access to every organization I'm a part of.

[erezrokah]

I can't grant Netlify access to every organization I'm a part of.

Hi @austinschrader, to clarify Netlify doesn't require access to every organization.

Netlify CMS (which acts as a GitHub client) requires repo access since it modifies repo files to manage content. That access can't be scoped to a specific repo due to the limitations specific https://github.com/netlify/netlify-cms/issues/4329#issuecomment-694826032 (those are on GitHub's side).

We'd be happy to change the CMS implementation once GitHub supports better scoping.

[prakis]

@erezrokah I saw few web apps asking for individual repo access (request access for repo on project basis).

[erezrokah]

@erezrokah I saw few web apps asking for individual repo access (request access for repo on project basis).

Hi @prakis, can you share those?

[prakis]

Ya sure.

https://Railway.app Render.com Tina.io

These are some apps which use only selected repositories.

[erezrokah]

https://Railway.app

I tested this one and it installs a GitHub application on your organization:

GitHub apps do provide better granularity for permissions, but I don't think they can be used in a headless environment like the CMS. See https://docs.github.com/en/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps

[WhalenSITHS]

I can't trigger Netlify CMS to ask my github org for permission. We cannot publish articles but we can access the netlify CMS admin page no issue. Nothing is prompting for access in my Org settings

[thbar]

Still a problem for me ; I cannot let my private repositories accessed at Netlify login time, it would be too problematic in my case.

I wonder if offering an alternative with PAT (personal access tokens) which can now be restricted to specific repositories (https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) if I understand correctly, could be a nice solution.

At the moment, though, I cannot use Netlify on some important projects because of this limitation.

[chriszrc]

Until we get a working solution with PATs, it seems creating a new github account, and essentially using it as a "machine user":

https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#machine-users

is at least a workable option. Create a new user and then only invite that user to cms repos it should be able to access, and create the oauth credentials under that user as well. You can reuse your existing email with the "+" hack, like "myemail@email.com" becomes "myemail+github-myproject-cms-etc@email.com" so you don't need new email accounts just to make these machine user accounts on github

[tim-at-topos]

Maybe I'm misreading things, but https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes suggests that there is a scope called public_repo which limits access to only public repositories. Is this something that's come out since this issue was opened, or is it not usable for some reason?

[caendesilva]

Is there a reason we can't use GitHub Apps for this? Edit: See https://github.com/decaporg/decap-cms/issues/7108

[flxmr]

Until we get a working solution with PATs, it seems creating a new github account, and essentially using it as a "machine user":

Where is this tracked/worked on? In theory one could also use this to setup a login-system without people having to know about github at all by hiding tokens/config behind htaccess?