gitify-app
Insecure GitHub login!
On first start you have to login to you GitHub account. But the login comes not from the standard browser. https://prnt.sc/8HUPdBzRjiqs So I do not know from where the page is, looking like GitHub login, nor where the data is sent. Any fraudulent app uses such data scam page. I have to entrust my highly sensitive credentials to an unknown/untrusted third-party application? This is not acceptable. (and also not necessary)
Solution: Open the GitHub authentication request in the default browser. In the trusted default browser, you are already logged in, so no transfer of personal credentials is usually required. This ensures that no third-party application knows the credentials.
Gitify is an electron app - basically Chromium + Node.
The window that opens is an electron window (running Chromium) - another window of the Gitify app.
Your credentials are not shared with any third party application, they always stay inside Gitify.
Could it just open my browser, where I am already logged in? The electron login popup can't use my password manager and it can't use WebAuthN for security-key based login. Most other apps just do an OAuth2 workflow login to get the login token and redirect it to an app URL.
This blocks us from using Gitify without a personal access token. We have SSO setup for Github. When I try to authorize for an organization I can enter usernam and password on our companies login page. The next step would be to enter the 2FA code but Gitify just closes the window. So I can not authorize for my orgs.
I've started on a fix for this in https://github.com/gitify-app/gitify/pull/654. Help is welcomed.
