saket / press

Cross-platform markdown editor written in Kotlin Multiplatform (work in progress)
1.87k stars 113 forks source link

Scary permissions being asked for GitHub sync #58

Open ChanSek opened 4 years ago

ChanSek commented 4 years ago

While syncing with GitHub, it simply asks for all my private and public repositories.

Here is a screenshot of how it looks:

20201025_092202.jpg

Though it might not be misused by the app, it would always be a great idea to have a custom message displayed at the app side before even going forward with syncing.

In this way, user knows what Press is going to do with all the repositories and why it is asking.

ChanSek commented 4 years ago

Well, there could be a different approach taken to solve this problem.

Assuming your target user base are tech friendly, how about just having a simple EditText in the app asking for the repository URL and only sync that?

saket commented 4 years ago

Agree that that is quite scary. I'll add a rationale dialog to try explaining the permission before opening the auth page.

Assuming your target user base are tech friendly, how about just having a simple EditText in the app asking for the repository URL and only sync that?

The URL isn't sufficient, a private SSH key is required as well for granting Press access to your repository. Expecting users to generate an SSH key-pair on their computer and paste their private key in the app is a huge entry barrier. I could consider offering it as an option for paranoid users in the future, but I don't know if it's worth putting in effort right now.

saket commented 3 years ago

I should also add that this is the smallest set of permissions a GitHub app can request for adding a deploy key to a single git repository. I wish there was a narrower permission.

FWIW Press deletes your auth token right after you choose a repository: GitHostIntegrationPresenterTest.kt#L203:L216.