gitify icon indicating copy to clipboard operation
gitify copied to clipboard
verified publisher icon gitify-app

fix(auth): Support 2FA via browser window auth

Open bmulholland opened this issue 2 years ago • 4 comments

I'm working to remove the usage of electron remote, and Auth windows are the last one. They open the auth in a new window. Since Github has started enforcing 2FA for almost everyone, the electron-window auth approach isn't functional for most. It therefore doesn't make sense to spend work maintaining the existing broken auth; instead, we can switch to a new one.

This change moves auth to open in the default browser. When Auth is done, it will redirect to gitify://oauth-callback, which the app will register and monitor, finishing the auth process when it's done.

At this point, I've got an initial approach started, but there's still lots to do. Help is welcomed.

There are several pieces left:

  • [ ] Fix the start of the auth process
    • [ ] Allow the gitify://oauth-callback redirect in the Github app settings -- do we have access to that?
    • [ ] Fix the initialization of it -- all the types etc are broken, and the browser probably doesn't even open
  • [ ] Catch and handle the completion of the auth
    • [ ] Communicate the auth from the main process to the App context, which started the Auth
    • [ ] Error handling
  • [ ] Testing
    • [ ] Figure out automated testing approach, if possible
    • [ ] Manually test
  • [ ] Documentation
    • [ ] Per https://github.com/gitify-app/gitify/issues/395, document the changed redirect URI

Fixes https://github.com/gitify-app/gitify/issues/561 Fixes https://github.com/gitify-app/gitify/issues/650 Fixes https://github.com/gitify-app/gitify/issues/429 Fixes https://github.com/gitify-app/gitify/issues/485 Closes https://github.com/gitify-app/gitify/issues/395

bmulholland avatar Oct 04 '23 09:10 bmulholland

Current dependencies on/for this PR:

  • main
    • PR #613 Graphite
      • PR #649 Graphite
        • PR #651 Graphite
          • PR #652 Graphite
            • PR #653 Graphite
              • PR #654 Graphite 👈

This comment was auto-generated by Graphite.

bmulholland avatar Oct 04 '23 09:10 bmulholland

@afonsojramos do you have access to the Github App to add the redirect URI?

bmulholland avatar Oct 04 '23 09:10 bmulholland

@bmulholland can't we keep using the existing gitify.io/callback redirect URI? Why do we need a new one?

afonsojramos avatar Oct 04 '23 10:10 afonsojramos

@afonsojramos We need a way to get the information in the URL at the end of authentication to the app. Currently, this is done by controlling the browser itself, waiting until there's a redirect, and intercepting that event. If we open auth in an external browser, there isn't a way to monitor the event and intercept the page when auth is completed.

Using a custom protocol is the usual way to get that data from the browser to an app, in lieu of intercepting events like that. So this is the standard approach.

If we wanted to avoid adding a new redirect URI to the Github App, if we control gitify.io, we could perhaps add a redirect from that callback URI to our custom protocol, which would complete this flow. However, that wouldn't fix https://github.com/gitify-app/gitify/issues/429, and is also a genuine security hole: anyone with access to gitify.io could probably MITM the callback and get access to quite a lot of data.

bmulholland avatar Oct 04 '23 12:10 bmulholland

superseded by https://github.com/gitify-app/gitify/pull/1781

setchy avatar Jan 29 '25 14:01 setchy