Open Cleop opened 6 years ago
@Cleop, good question.
for enabling the app on GitHub the Org Owner will not need to authenticate with OAuth
but for people clicking on the link in the issue "meta table", we will need to have OAuth on the Web App to control who can see the issue comment history. otherwise someone can simply try random URLs like gibu.com/waymo/self-dring-car/issues/1
and what they are working ...
The documentation on how to run a Phoenix app (also we might want to only use Elixir with Plug and Cowboy) using a Github app has been written for dwylbot here: https://github.com/dwyl/dwylbot#run-the-project-locally
I think we can reuse this documentation and adapt it for this project. There is also maybe a better way to run the project locally: instead of telling people to create their own Github App we could have a "dev Github App" where the credentials are shared?
This issue began as a discussion of the download/authorisation/authentication model of the application. Set up as a github app has been done and so now the next point to be addressed in this issue will be the authentication of users trying to access their github history/backup using OAuth.
As a gh-backup user I want to be able to authenticate myself to access my github history so that I know that unauthorised users will not have access to my private history.
Notes:
OAuth Authentication
Once a user (where github-backup has been installed) wants to click on the button to see the history of a given comment they will be taken to the github-backup site and then they will have to authenticate with OAuth to prove that they are from the org. This step technically would not need to be performed in the case of public repos but given that it's essential for private repos, you only have to do it once and that in the future we may introduce writing access it seems like a good idea.
— Providing that its a Github App that has been installed by the org owner, will the github API provide a user access to all issues/comments regardless of if they're an author/ mentioned in them?
Github Apps
To see the github-back up button on each of your comments (which would link you to the github-backup site) we would use github apps.
In the case of
github-backup
I envisage this being the case (so that in the long run the organisation can decide whether they wish to accept any costs associated with using the app as opposed to the individual). The other advantage of this is that: 'a GitHub App remains installed if the person who set it up leaves the organization', so this would be continuous as well.GitHub Apps can request separate access to issues and pull requests without accessing the actual contents of the repository.