jsonresume.org icon indicating copy to clipboard operation
jsonresume.org copied to clipboard

Published 20 hours ago verified publisher icon jsonresume

Questionable permission level

Open shaedrich opened this issue 1 year ago • 7 comments

What do you need that excessive permissions for? I thought, you just need to read from a simple gist?

grafik

shaedrich avatar Jul 24 '24 12:07 shaedrich

Thanks for the report. It should only need;

  • read and write public gist
  • read user profile

The current permissions are set here -> https://github.com/jsonresume/jsonresume.org/blob/master/apps/registry/auth.js#L12

I will check it out later if no one else knows how to reduce those permissions

thomasdavis avatar Jul 24 '24 12:07 thomasdavis

Just need to change it to read:user for read only user.

But I don't think it's possible to scope it to public gist only

thomasdavis avatar Jul 24 '24 12:07 thomasdavis

that seems to be included as the default: grafik See: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

shaedrich avatar Jul 24 '24 12:07 shaedrich

Yeah but it doesn't support writing gist which is needed for the editor

thomasdavis avatar Jul 24 '24 12:07 thomasdavis

Ah, okay. You are right. This would need the gist permission then

shaedrich avatar Jul 24 '24 12:07 shaedrich

I've updated it to just read user profile in this commit https://github.com/jsonresume/jsonresume.org/commit/8e5b9dc908c20ece1dd965c154294b1b904af78c

Will keep this open for a little while to see if anyone has any good ideas to let people keep their gists private.

thomasdavis avatar Jul 24 '24 12:07 thomasdavis

Awesome! Thanks 👍🏻

shaedrich avatar Jul 24 '24 12:07 shaedrich

✅ Permissions Minimized

Verified current OAuth scopes in apps/registry/auth.js:12:

scope: 'read:user gist'

Current Permissions:

  • read:user - Read-only access to user profile (email, name, username)
  • gist - Read/write access to gists (required for editor functionality)

These are the minimum permissions required for JSON Resume to function:

  1. User profile - Needed to identify the user and fetch their resume
  2. Gist access - Required to read resume.json and update it via the editor

GitHub API Limitation:

Unfortunately, GitHub doesn't offer a "public gist only" scope. The gist scope grants access to both public and private gists. This is a limitation of GitHub's OAuth implementation, not JSON Resume.

Alternatives Considered:

  • Using only public APIs would prevent editing functionality
  • A separate "read-only" mode could use no gist scope, but users couldn't edit their resume

The current implementation strikes the best balance between functionality and minimal permissions.

Closing as the permissions have been reduced to the absolute minimum required.

thomasdavis avatar Oct 05 '25 04:10 thomasdavis

Thanks a lot!

shaedrich avatar Oct 05 '25 09:10 shaedrich