Currently Gore uses a shabby authentication implementation.
[00:39:10] <unascribed> how to approach authentication: don't
[00:39:53] <unascribed> oh, you are using oauth
[00:39:54] <unascribed> carry on
[00:40:45] <unascribed> make sure that your cookie is HttpOnly and Secure, and that it's encoded somehow instead of being the raw token
[00:40:48] <unascribed> I don't know how macaron works
[00:40:51] <unascribed> jamierocks ^
[00:41:06] <jamierocks> alright - thanks ;)
[00:41:09] <unascribed> the cookie should be a meaningless session token rather than the github access token
[00:41:24] <unascribed> and your server should be able to convert the meaningless session token to a github token to ensure identity
[00:41:35] <unascribed> also make sure not to request more permissions than you need
[00:41:46] <unascribed> people are likely to be suspicious otherwise (with good reason)
Currently Gore uses a shabby authentication implementation.