Use API keys by default

node-gh / gh

(DEPRECATED) GitHub CLI made with NodeJS. Use the official https://cli.github.com/ instead.

http://nodegh.io

Other

1.71k stars 217 forks source link

Use API keys by default #450

Closed appsforartists closed 5 years ago

appsforartists commented 8 years ago

gh delegates to the npm github module for authentication, which sends your username and password as an HTTP header. That feels insecure.

GitHub has personal access tokens for this purpose, which is what github is creating behind-the-scenes. Can we change the prompt to ask for a token, and completely avoid potentially sending real user credentials over-the-wire?

henvic commented 8 years ago

I wish GitHub had something like https://google.com/device (which I intend to use in a project which I am working on).

I am not doing this now, but I might find some time to do so in about 3 weeks (hopefully).

The ideal case would be using also public / private certificate on the client-side, instead of shared secret (tokens).

brennantaylor commented 8 years ago

I was able to use only my username and PAT by leaving the password blank in the ~/.gh.json.

mohhasbias commented 7 years ago

i think it is already supported in the current release. we could use github token by fill in it in the .gh.json file.

there is github_token property in the file. https://github.com/node-gh/gh/blob/master/default.gh.json#L19

mohhasbias commented 7 years ago

i think, asking for github_token could be used instead of password.

protoEvangelion commented 5 years ago

We could offer a list of authentication options using inquirer: https://github.com/SBoudrias/Inquirer.js#prompt-types

The list of options could include what @octokit/rest offers: https://github.com/octokit/rest.js#authentication

kenshinji commented 5 years ago

i think it is already supported in the current release. we could use github token by fill in it in the .gh.json file.

there is github_token property in the file. https://github.com/node-gh/gh/blob/master/default.gh.json#L19

@mohhasbias Are you sure about that? This is what I got when I was using personal access token for accessing.

protoEvangelion commented 5 years ago

@kenshinji you can generate a personal access token yourself here: https://github.com/settings/tokens/new

Add these scopes:

And then add to your ~/.gh.json

    "github_token": "yourtoken",
    "github_user": "yourusername",

This will allow you to bypass the prompt which is just a convenience method. All we do is generate the personal token and store it for you automatically. Please let me know if you have any issues with that.

I'm closing this for now as we will still offer the convenience method of generating the personal token for you.