Why does authentication send my token to an HTTP site? (seanallred)

[Hunter-Github]

Can't understand the process. Does that mean access to my account is shared by a dozen other folks?

[vermiculus]

No, your account is not shared with anyone.

[Hunter-Github]

Why an insecure redirect, then?

[Hunter-Github]

I must be missing something obvious, please bear with me. If you have an RTFM link handy, that'll do.

[vermiculus]

The authentication is handled entirely by StackExchange.

As you can see, I don't provide the protocol -- just the domain.

[Hunter-Github]

Ah ok, thanks.

[vermiculus]

Hmm, actually it's defined by a variable here:

https://github.com/vermiculus/sx.el/blob/4892f45746fb217d059f4fa074a237c5bac7dd6c/sx-auth.el#L37

[vermiculus]

Can you change the value of that constant to use https and see if it still works for you? If it does, I'll change in master.

[Hunter-Github]

Changed, the redirect URI has changed but since the seanallred.com listens only on HTTP, it did not pull the page.

[vermiculus]

That's something with GitHub pages that I cannot fix, then. :frowning:

[vermiculus]

Well.... maybe. I'll have to screw around with my domain settings later tonight, but I'll give it a shot.

[Hunter-Github]

Many thanks in advance. Don't sweat it, though, the app was recommended by Gilles but I can live without it.

[Hunter-Github]

Relevant Sec.SE answer: https://security.stackexchange.com/a/66138

[vermiculus]

For as long as I use GitHub Pages for my blog, this won't really be possible (until GitHub makes some changes with its SSL cert strategy).

Just so you're aware, only the authentication token is sent unsecurely.

1. Unless you're on public wifi, I really wouldn't worry about it.
2. You can revoke this authentication token at any time. It's not related to your password.

I'm going to leave this issue open in hopes that GitHub makes this possible or that my blog moves to another host. But for now, there's nothing I can do.

[Malabarba]

Yeah, I looked into it for my blog as well, but gh-pages just doesn't do https ATM.

[Hunter-Github]

Okay, thanks.

[RockyRoad29]

I was not able to get an OAuth token M-x sx-authenticate sends me to uri (I obliterated here the client-id) https://stackoverflow.com/oauth/dialog?client_id=####&redirect_uri=http%253A%252F%252Fseanallred.com%252Fsx.el%252Fauth%252Fauth.htm&scope=read_inbox%2cno_expiry%2cprivate_info%2cwrite_access. The server answers: http%3A%2F%2Fseanallred.com%2Fsx.el%2Fauth%2Fauth.htm is not a valid uri

I tried adding setting by hand https in the redirect_uri, it doesn't help. As I couldn't figure out how removing the https from the request uri would be secure, It didn't try it.

But I think the redirect_uri looks like encoded twice.

[vermiculus]

But I think the redirect_uri looks like encoded twice.

You're right on the money there. This is unrelated to this issue, though; can you open a new one?

[RockyRoad29]

Sure. See issue #349 and PR #350

[vermiculus]

GitHub Pages now supports HTTPS, so this has been addressed.