You should include better instructions on how to get a GitHub oAuth token to prevent credential leaks

[ChALkeR]

https://github.com/revolunet/sublimetext-markdown-preview/blob/1.3.2/MarkdownPreview.sublime-settings#L144-L147:

Uses an OAuth token when parsing markdown with GitHub API. To create one for Markdown Preview, see https://help.github.com/articles/creating-an-oauth-token-for-command-line-use.

When a user follows that, he or she creates a token with the default scopes. From the doc:

The default scopes allow you to interact with public and private repositories, user data, and gists.

That's read/write access to all public and private repos, user data, and gists!

People often share dotfiles, and they commonly fail to remember (or are not aware) that their Sublime Text settings has a token that gives write access to all their repos on GitHub to anyone.

If your app works fine without those scopes, you should tell the user to create a token that doesn't have unneeded scopes. Preferably — with no scopes at all. Also, you should better tell users that that token is supposed to be kept secret.

See https://github.com/ChALkeR/notes/blob/master/Do-not-underestimate-credentials-leaks.md#common-sources-of-leaks for details.

[facelessuser]

Would you like to write up better instructions? Pull requests are welcome. This package is community driven.

[ChALkeR]

@facelessuser I am not a user of this package or Sublime Text. I have no idea what scopes does this package require, though I am confident that the default list is too high. Also, I am not a native Enlish speaker. Sorry, no pull request here.

[revolunet]

Thanks for reporting that issue, your english looks very good :) i'll fix the README

[revolunet]

@facelessuser i added a note in the README. i planned to make a PR for you to review but for some reason it commited directly on master....; sorry for that !

[ChALkeR]

@revolunet Looks good to me, thanks!

[facelessuser]

No worries. Looks good to me.