Security

[probonopd]

When I open the app, I get "Sign into GitHub to continue to HawkEye". How can I know that this is not a phishing attempt? How can I know that the app doesn't abuse my username and password for something else?

[andrewhathaway]

Hi @probonopd. For the application to get your notifications, you need to authenticate with GitHub.

This is done using the OAuth2 protocol. Your username and password are entered, by the user, to GitHub itself, where Hawk Eye doesn't have access to those values. In return, Hawk Eye gets a token used to authenticate with GitHubs API. This token is then stored on your machine only, again, where only you have access to it. Removing your account from Hawk Eye will delete the token from your machine.

Hope this clears things up. Have a good day. :)

[probonopd]

It is clear to me that this is how it should work - but how can a user be sure that this is what actually happens? Could the app use the system's browser to handle the credentials entering? That way, the user would at least see the URL where he enters his credentials...

[andrewhathaway]

Sadly if I were to give control over to the systems browser, I could not get the users access token from the redirected browser. I will look in to this further, my other option would be to show the address bar on the window.

[probonopd]

show the address bar on the window

A malicious fork of this app could show something random there...

[andrewhathaway]

Sure, it could. Looking through this issue, theres no way for me to show a toolbar on the Electron BrowserWindow implementation. https://github.com/electron/electron/issues/1862

Furthermore, looking at the docs for shell.openExternal theres no way for me to grab the token back from the browser. https://github.com/electron/electron/blob/master/docs/api/shell.md#shellopenexternalurl-options-callback

I'm not entirely sure theres a way forward for this issue.

[iamthemovie]

@probonopd we could mitigate the issue by offering a way of manually entering a user generated OAuth token as a different option when logging in. That way you have complete control over the transient token and do not have to enter you password or user details.

While I completely understand the security implication of what you're suggesting we would always recommend on a personal note to use randomly generated passwords for every account a user has on the internet (managed by a password manager) and enable two-factor authentication where applicable. 😄

[probonopd]

@iamthemovie I would appreciate this option very much. And just a GitHub password alone is precious enough to really care about it ;-)