Tokens will now always be checked for their specific types. This wasn't directly a security risk as text was previously either a username like anbraten and a repo-name anbraten/test and as users wont have / in their name their should be no risks that a user was able to use their token to authenticate a repo-hook. New tokens are using user-id and repo-id further minimizing the risk. However it seems to be a good practice to check the actual token type and therefore it is now a required part of Parse and ParseRequest.
Tokens will now always be checked for their specific types. This wasn't directly a security risk as
text
was previously either a username likeanbraten
and a repo-nameanbraten/test
and as users wont have/
in their name their should be no risks that a user was able to use their token to authenticate a repo-hook. New tokens are usinguser-id
andrepo-id
further minimizing the risk. However it seems to be a good practice to check the actual token type and therefore it is now a required part ofParse
andParseRequest
.Extracted from #3822