search

dwyl / github-backup

:octocat: :back: 🆙 Backup your GitHub Issues so you can still work when (they/you are) offline.
https://github-backup.herokuapp.com
GNU General Public License v2.0
32 stars 3 forks source link

Set up user authentication with OAuth #7

Open Cleop opened 6 years ago

Cleop commented 6 years ago

This issue began as a discussion of the download/authorisation/authentication model of the application. Set up as a github app has been done and so now the next point to be addressed in this issue will be the authentication of users trying to access their github history/backup using OAuth.

As a gh-backup user I want to be able to authenticate myself to access my github history so that I know that unauthorised users will not have access to my private history.

Notes:

OAuth Authentication

Once a user (where github-backup has been installed) wants to click on the button to see the history of a given comment they will be taken to the github-backup site and then they will have to authenticate with OAuth to prove that they are from the org. This step technically would not need to be performed in the case of public repos but given that it's essential for private repos, you only have to do it once and that in the future we may introduce writing access it seems like a good idea.

OAuth2 lets external applications request authorization to private details in a user's GitHub account

— Providing that its a Github App that has been installed by the org owner, will the github API provide a user access to all issues/comments regardless of if they're an author/ mentioned in them?

Github Apps

To see the github-back up button on each of your comments (which would link you to the github-backup site) we would use github apps.

To install a GitHub App, you must be an organization owner.

In the case of github-backup I envisage this being the case (so that in the long run the organisation can decide whether they wish to accept any costs associated with using the app as opposed to the individual). The other advantage of this is that: 'a GitHub App remains installed if the person who set it up leaves the organization', so this would be continuous as well.

GitHub Apps can request separate access to issues and pull requests without accessing the actual contents of the repository.

nelsonic commented 6 years ago

@Cleop, good question. for enabling the app on GitHub the Org Owner will not need to authenticate with OAuth but for people clicking on the link in the issue "meta table", we will need to have OAuth on the Web App to control who can see the issue comment history. otherwise someone can simply try random URLs like gibu.com/waymo/self-dring-car/issues/1 and what they are working ...

SimonLab commented 6 years ago

The documentation on how to run a Phoenix app (also we might want to only use Elixir with Plug and Cowboy) using a Github app has been written for dwylbot here: https://github.com/dwyl/dwylbot#run-the-project-locally

I think we can reuse this documentation and adapt it for this project. There is also maybe a better way to run the project locally: instead of telling people to create their own Github App we could have a "dev Github App" where the credentials are shared?