Improve App Authorization security

[AmirL]

Hi I want to give access to create PR on Github, but I'm a bit concerned as to why so many are requested.

Can it just request access to PRs or something?

PS Can I ask a few dumb questions?

• Is there any description of how to work with other developers' PR if you need to add changes there? I tried to fix something, but couldn't find how to push it to the repo.
• How can I stash\unstash code?

[krlvi]

Hey @AmirL! Thank you for bringing this up! From the GitHub docs on oauth scopes, the repo scope is needed for the fetch / push / PR create functionality.

I tried reducing the surface area, but the scopes are just not granular enough. Here's a comparison with 2 other clients that do this integration, GitHub Desktop and GitHub CLI:

One thing that you could do however is use your own github oauth application! It will work just fine because everything is local on your machine. The app uses the device flow, so you can make a new github application in the GH interface and replace the client ID here https://github.com/gitbutlerapp/gitbutler/blob/master/gitbutler-app/src/github/commands.rs#L9

We can create a guide for this process soon, and also make it so that plugging a different oauth app does not require compiling from source but it's configured instead

[AmirL]

We can create a guide for this process soon, and also make it so that plugging a different oauth app does not require compiling from source but it's configured instead

That would be great!

Is there a way to create a PR manually and use it with Gutbutler somehow? I'm going to stick without the app authorization for now.

[AmirL]

@krlvi Can Gitbutler just call a github cli command if it's installed? Just an idea of an alternative.