Github removing anonymous gist creation

[sfiera]

Yesterday, Github posted “Deprecation notice: Removing anonymous gist creation”:

March 19, 2018 19:00 UTC (11:00 am PST): Disable anonymous gist creation via the web and API.

So if I understand correctly, PuzzleScript’s “Share” button is going to break in one month. One fix would be to add authentication (#306).

(I’d like to volunteer, but don’t think I’d get to it before the one-month deadline)

[increpare]

oh wow, thanks for this. my understanding is that authentication

1: might create weird rate limits (I didn't fully understand the description last time I checked, but it looked like they were per-app rather than per-user, which might be a pain) 2: means I'll have some private key that I'll have to keep secret from github/etc.

I guess I'll go ahead and do it now that it's required. (If anyone knows more about this than me, or can do the research footwork, and can help me out knowing what exactly this means usage limit-wise, I'd appreciate it)

2018-02-19 11:27 GMT+01:00 Chris Pickel notifications@github.com:

Yesterday, Github posted “Deprecation notice: Removing anonymous gist creation https://github.com/blog/2503-deprecation-notice-removing-anonymous-gist-creation ”:

March 19, 2018 19:00 UTC (11:00 am PST): Disable anonymous gist creation via the web and API.

So if I understand correctly, PuzzleScript’s “Share” button is going to break in one month. One fix would be to add authentication (#306 https://github.com/increpare/PuzzleScript/issues/306).

(I’d like to volunteer, but don’t think I’d get to it before the one-month deadline)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/increpare/PuzzleScript/issues/431, or mute the thread https://github.com/notifications/unsubscribe-auth/AAca4Kw-LAhyX9HwM-L-FLPSrt0T7Gr1ks5tWUx5gaJpZM4SKVAZ .

[increpare]

asked here -

https://twitter.com/increpare/status/965600580642263040

2018-02-19 15:28 GMT+01:00 Stephen Lavelle analytic@gmail.com:

oh wow, thanks for this. my understanding is that authentication

1: might create weird rate limits (I didn't fully understand the description last time I checked, but it looked like they were per-app rather than per-user, which might be a pain) 2: means I'll have some private key that I'll have to keep secret from github/etc.

I guess I'll go ahead and do it now that it's required. (If anyone knows more about this than me, or can do the research footwork, and can help me out knowing what exactly this means usage limit-wise, I'd appreciate it)

2018-02-19 11:27 GMT+01:00 Chris Pickel notifications@github.com:

Yesterday, Github posted “Deprecation notice: Removing anonymous gist creation https://github.com/blog/2503-deprecation-notice-removing-anonymous-gist-creation ”:

March 19, 2018 19:00 UTC (11:00 am PST): Disable anonymous gist creation via the web and API.

So if I understand correctly, PuzzleScript’s “Share” button is going to break in one month. One fix would be to add authentication (#306 https://github.com/increpare/PuzzleScript/issues/306).

(I’d like to volunteer, but don’t think I’d get to it before the one-month deadline)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/increpare/PuzzleScript/issues/431, or mute the thread https://github.com/notifications/unsubscribe-auth/AAca4Kw-LAhyX9HwM-L-FLPSrt0T7Gr1ks5tWUx5gaJpZM4SKVAZ .

[sfiera]

The rate limits appear to be per-user:

Authenticated requests are associated with the authenticated user … This means that all OAuth applications authorized by a user share the same quota of 5000 requests per hour when they authenticate with different tokens owned by the same user.

[increpare]

ok, thanks for getting that here.

further questions: am I, the dev, the user, or is the end user the user? (I guess it's a global limit of 5k) is there a way to pay to increase this limit if needs be? fetching a gist isn't a request, just submitting one, right?

2018-02-19 22:28 GMT+01:00 Chris Pickel notifications@github.com:

The rate limits appear to be per-user https://developer.github.com/v3/#rate-limiting:

Authenticated requests are associated with the authenticated user … This means that all OAuth applications authorized by a user share the same quota of 5000 requests per hour when they authenticate with different tokens owned by the same user.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/increpare/PuzzleScript/issues/431#issuecomment-366806841, or mute the thread https://github.com/notifications/unsubscribe-auth/AAca4GJaWHF2kJHfFNtBg_stFLRLx_kUks5tWeeQgaJpZM4SKVAZ .

[sfiera]

My reading is that user == end user == GitHub account. PuzzleScript is an OAuth application. There’s no mention of paying to increase the limit, but 5k/hour is more than 1/sec, so it seems unlikely you’d hit it (it’s also the user’s limit, not the app’s).

I think fetching a gist is still a request, so the quota rules would depend on whether you change it to make authenticated requests:

• If you leave it as-is, then you continue to get 60/h/ip
• If you provide the access_token, then the quota comes from the 5k/h/user bucket

[increpare]

OK, got a reply, we're going to need a different solution -_-

"Hi Stephen,

Thanks for reaching out -- I'm sorry that you didn't receive a reply to that tweet!

That's correct -- it will not be possible to create anonymous gists anymore, neither in the UI nor the API. That includes when you provide the application's credentials (client_id + client_secret). The reason is that gists can only be associated with a user account or be anonymous. The anonymous option is being removed completely. This means that gists will need to be created with some user account (both in the UI and API), and the application's credentials aren't associated with any specific user. You'd need to use a user's token (or username+password credentials) in order for the gist to be associated with a user.

I wish I had better news for you, but I don't. If you have any other questions -- please let me know.

Best, GitHub Staff

Hi, I read this post showing that anonymous gists are getting turned off - https://blog.github.com/2018-02-18-deprecation-notice-removing-anonymous-gist-creation/ . As suggested at the bottom of the post, I tweeted my question at @github but received no response ( https://twitter.com/increpare/status/965600580642263040 ).

My question is: This means that people in the future will not be able to create gists (via the API) without a github account? Even if the app is authenticated?

I use github gists for online storage/sharing of scripts for several small game engines (https://www.puzzlescript.net, https://www.flickgame.org, https://tinychoice.net, ), where it was amazingly useful. It would be nice to continue to use it, but I absolutely understand how awful spam is (which is the main reason I don't want to store things on my own servers...)"

[increpare]

Unfortunately, I'm stressed out with life things right now. I should have dealt with this sooner.

https://pastebin.com/api is seeming the best option right now. Not as good as github gists were, but it allows anonymous submission.

Hi, we do delete inactive pastes, but this happens after a long time. Currently years... If you want to make sure it's never deleted, get a PRO account.

There are posting rate limits. They are per IP & per account. See: https://pastebin.com/faq#11a A PRO account is highly recommended in your case.

Hope this answers your questions.

Quickly thinking about how I'd implement it - currently links have the form

https://www.puzzlescript.net/editor.html?hack=ab40e550847221098dedd0d2bd876039 https://www.puzzlescript.net/play.html?p=ab40e550847221098dedd0d2bd876039

i'd keep these as fallbacks, but in future use a new format

https://www.puzzlescript.net/editor.html?g=ab40e550847221098dedd0d2bd876039 https://www.puzzlescript.net/play.html?g=ab40e550847221098dedd0d2bd876039

if the g token is present, is searches for the pastebin url, if the hack/p one is available it searches for github.

if someone is able to try this out and get it working, just in the editor, it'd be a big help for me. I could then get it working in standalone and compiled builds ok (I also need to adjust http://plingpling.org , https://www.flickgame.org , and https://tinychoice.net -_- )

This seems like the best course of action, right? People can still make updatable gist urls if they want to.

[madewokherd]

There must be some way we can get these archived permanently. It'd make sense for archive.org, but we'd need a CC license from the author, and I doubt that archive.org wants to take in anonymous text files and serve them back.

It might be possible to use pastebin for temporary storage and move the "real" posts to archive.org in batches, but we'd need a way to find them all, and it's not clear that pastebin can support this. They have an API designed for grabbing every post as it happens (by literally running a server that constantly queries their server for the last N posts), but they have no API for searching.

[increpare]

I have google analytics in the player on the website so I get a record of all the gist/whatever ids accessed

2018-03-18 4:10 GMT+01:00 Vincent Povirk notifications@github.com:

There must be some way we can get these archived permanently. It'd make sense for archive.org, but we'd need a CC license from the author, and I doubt that archive.org wants to take in anonymous text files and serve them back.

It might be possible to use pastebin for temporary storage and move the "real" posts to archive.org in batches, but we'd need a way to find them all, and it's not clear that pastebin can support this. They have an API designed for grabbing every post as it happens (by literally running a server that constantly queries their server for the last N posts), but they have no API for searching.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/increpare/PuzzleScript/issues/431#issuecomment-373969566, or mute the thread https://github.com/notifications/unsubscribe-auth/AAca4GFMpfR2ZznAqsl79hJWqnUEyGFsks5tfdArgaJpZM4SKVAZ .

[philschatz]

In case GitHub stops making anonymous Gists publicly available, I forked the ones that were on https://puzzlescriptgallery.tumblr.com as well as others that I could find (I do not believe you can search to find Anonymous gists anymore). For what it's worth, I think forking of Gists is OK in terms of GitHub-use (since the button is readily available) but I can ask what their plans are if it would help.

Also, in doing so, I found a few public gists that were really fun that I did not see on https://puzzlescriptgallery.tumblr.com (I @mentioned the authors in case they would like to remove those gists):

• Bubble Butler by @Gate88, the author of SwapBot
• Unity, Heroes of Sokobon...: The Rogue, and Magnet Jack by @octoConnors, the author of Spacekoban. See more here

[Gate88]

Yep, fine with me @philschatz. Thanks for doing this preservation work!

[octoConnors]

Not a problem! I appreciate it. My recent Puzzlescripts I try to use my actual Gist account, but there are quite a few that were anonymous.

Sent from Mail for Windows 10

From: Philip Schatz Sent: Saturday, March 17, 2018 10:36 PM To: increpare/PuzzleScript Cc: Connorses; Mention Subject: Re: [increpare/PuzzleScript] Github removing anonymous gist creation(#431)

In case GitHub stops making anonymous Gists publicly available, I forked the ones that were on https://puzzlescriptgallery.tumblr.com as well as others that I could find (I do not believe you can search to find Anonymous gists anymore). For what it's worth, I think forking of Gists is OK in terms of GitHub-use (since the button is readily available) but I can ask what their plans are if it would help. Also, in doing so, I found a few public gists that were really fun that I did not see on https://puzzlescriptgallery.tumblr.com (I @mentioned the authors in case they would like to remove those gists): • Bubble Butler by @Gate88, the author of SwapBot • Unity, Heroes of Sokobon...: The Rogue, and Magnet Jack by @octoConnors, the author of Spacekoban. See more here — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[increpare]

I should say, if anyone wants to help out with the pastebin-porting task ( https://github.com/increpare/PuzzleScript/issues/431#issuecomment-373930260 ), https://github.com/increpare/TinyChoice / https://tinychoice.net is a much easier code base, and I should be able to easily port between that and puzzlescript.

[philschatz]

Is there a way to submit anonymously to pastebin? From https://pastebin.com/api it seems that you need a developer key to create them:

Everybody using our API is required to use a valid Developer API Key. You automatically get a key when you become a member of Pastebin. Please login to your account, and return to this page to find your Developer API Key.

(the web form uses a hidden CSRF token to ensure the POST originated from their site)

I started going down the GitHub OAuth route that I think #433 took but it might be easier to use what @sfiera did and just host the OAuth server on something free like heroku or https://now.sh or https://github.com/tomkp/login-with#github-specific-environment-variables

[ThatScar]

I've detailed some news and a very simple (temporary) remedy in the puzzlescript google group: https://groups.google.com/forum/#!topic/puzzlescript/Z6QthMS05Ag