noise64
commented
1 month ago Thank you for the report!
Currently we are using the Github OAuth "Device flow" for accessing email in a reliable way, and this flow got moved to the backend, to make it more secure for us, and this resulted in seeing our AWS Cloud service asking for auth (Ashburn is an AWS datacenter).
We understand that this can generate security concerns, and not the right flow for this use case, and we started implementing the "Web application flow", which will happen inside the browser, but this will take time, and probably we can deploy it only in the next weeks.
Until then a few more details:
- we only ask permission for getting email
- after this one time email access we do not store or use this authorization anymore
When I run
golem-cli init, then choose the "Golem Cloud" option and follow the instructions, I'm shown this warning from GitHub (with the IP address blocked out):I'm seriously concerned that the
golem-clicommand-line tool might be suffering from a man-in-the-middle attack where I'm giving my GitHub account access to an unknown third party (specifically, "Ashburn" at IP address 22.x.x.x as shown in the screenshot)... and I would really appreciate it if an official Golem team member could comment as to who/what this "Ashburn" is.