-
-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Excessive access scope for GitHub OAuth app #401
Comments
It is an unintentional coincidence that this issue number (401) is the HTTP status code that means "Unauthorized." |
BowlerStudio uses Git (and specifically github, although more are coming this summer) as its "filesystem". BowlerStudio creates, modifies then saves files to the git repository they come from. In the cad kernel, files can link to each other, but only by their public Git URL's. The point of the tool is to not simply encourage open source development, but to make closed source development out of pipeline. Using closed source repos in the BowlerStudio file system makes for potentially broken sources when the dependent script is published. The permissions requested allows users to use BowlerStudio on private repos, so long as they create them out of pipeline and then open it in BowlerStudio later. That said, I totally understand the hesitance. The simplest solution would be to make a burner account in Github, an account you just point bowlerstudio at, and keep private information out of. I plan on making a gitlab and google docs plugin so the user can choose which one they wish to use. At the moment the github layer is perfused throughout the tool, so there is not a very good way to isolate certain content in github separate from from other content in a given account. I'll leave this issue open until there are other options, since the explanation might help other users in the future. |
for reference, these are the scopes requested;
|
"repo" is added so the user can push/pull/tag a repo, this is how files are saved |
Makes sense to me! I see why this is this is low priority, given that there is an operational workaround:
|
It looks like the GitHub OAuth app is configured to request access to all scopes. This could lead to unintended exposure of private data stored on a user's GitHub account. This prevents me from using the GitHub integration in Bowler Studio, because my repos are private for a reason.
Installed Version
v2.25.1
Expected behavior
Admittedly, I do not know the specific use-cases for the GitHub integration in Bowler Studio, so I do not know the exact scopes that are required.
I believe a user should be able to specify which repositories and organizations are accessible by Bowler Studio.
I don't see why Bowler Studio would need access to personal user data.
Actual Behavior
Steps to reproduce the behavior
You may need to revoke your existing OAuth credentials.
This will redirect you to GitHub's OAuth page, where you can see the access request.
The text was updated successfully, but these errors were encountered: