integration_github icon indicating copy to clipboard operation
integration_github copied to clipboard
verified publisher icon nextcloud

scopes for github oauth

Open memen45 opened this issue 4 years ago • 2 comments

https://github.com/nextcloud/integration_github/blob/318bbd10deeff6254534545fadac4c9e1287cc1c/src/components/PersonalSettings.vue#L182

In this line more access is requested compared to what is described in settings. Should it not be read:user user:email notifications instead to be more specific?

As mentioned in the "connected accounts" GitHub settings hint, you should check "read:user", "user:email" and "notifications" permissions.

Originally posted by @eneiluj in https://github.com/nextcloud/integration_github/issues/18#issuecomment-762299141

memen45 avatar Sep 01 '21 16:09 memen45

Yes well, when using OAuth, we request more scopes than when using a personal token. It's not a big deal as the app never makes any action which require the user:follow permission.

Keep in mind that the instructions in the settings are for personal tokens and the line you mention is about the scopes that are required when getting a token via OAuth.

Did I understand your concern?

Anyway, for security reasons, let's limit the OAuth scopes as much as possible, you're right. it's done and pushed. It will be included in the next release.

julien-nc avatar Sep 01 '21 18:09 julien-nc

Yes, indeed, both scopes repo and user:follow are not used then, right?

memen45 avatar Sep 01 '21 21:09 memen45