Refined-github: Verify token in options

Created on 21 Nov 2020 · 14Comments · Source: sindresorhus/refined-github

When the user pastes a token, we could verify that the token:

Is active/valid
Has the expected scope(s)

3734 will add a function that helps with this validation.

help wanted meta

Source

fregante

👍2

Most helpful comment

It's a cache problem, not an API problem

Screen Shot 2020-11-26 at 17 37 11

Use cache: 'no-store'

const {headers} = await fetch('https://api.github.com/', { 
    cache: 'no-store',
    headers: {...}
});

fregante on 27 Nov 2020

🚀1 ❤1 👍1

All 14 comments

Did a drop of testing here it does not give back all scopes. For example discussion is not passed back.

yakov116 on 22 Nov 2020

We don't need discussion and currently we only soft-require repo and delete_repo, both of which are reported.

Let's take this opportunity to better explain why the token is needed: https://github.com/sindresorhus/refined-github/pull/3757

And then add something like ✅ Valid or ❌ Not set/invalid next to each that is updated with the validation.

fregante on 22 Nov 2020

👍1

From my testing we cannot see if they have public and/or private repo enabled it just returns repo

yakov116 on 25 Nov 2020

maxresdefault

public_repo means that they only have access to public repositories.

repo means access to all repositories; this includes public_repo

It's in the notes I added in #3757

Try creating a token with just public_repo and it will show up.

fregante on 25 Nov 2020

👍1

I will try again tomorrow.
I need help understanding how to reset on domain change.

See https://github.com/sindresorhus/refined-github/tree/validate-token for my half baked work.

yakov116 on 25 Nov 2020

I just tested and confirmed. It only gives you back what you selected when you created the token. Which means that if you made any changes, the header does not update! It will update if you regenerate the token.

So if a users adds a permission there will be no way for us to update it

yakov116 on 26 Nov 2020

@fregante can you confirm too?

yakov116 on 26 Nov 2020

That's not right either. You can see the same token changing scopes here, seconds after changing them:

❯ http HEAD https://api.github.com/ "Authorization: token b77a804af914872e62b8c84d009f37f509cf2b58"
HTTP/1.1 200 OK
X-OAuth-Scopes: public_repo

❯ http HEAD https://api.github.com/ "Authorization: token b77a804af914872e62b8c84d009f37f509cf2b58"
HTTP/1.1 200 OK
X-OAuth-Scopes: repo

❯ http HEAD https://api.github.com/ "Authorization: token b77a804af914872e62b8c84d009f37f509cf2b58"
HTTP/1.1 200 OK
X-OAuth-Scopes: delete_repo, public_repo

fregante on 26 Nov 2020

I think you're confusing "token regeneration" with "token update." The regeneration creates a new token, but that's not what you're supposed to do:

nook

fregante on 26 Nov 2020

I did both. I will make a screencast. Maybe something was wrong with Github yesterday.

yakov116 on 26 Nov 2020

Keep in mind that api.v3 is memoized. Use fetch directly instead

fregante on 26 Nov 2020

https://github.com/sindresorhus/refined-github/blob/09323918b5a3031fcb525a98474df0025d5a9f66/source/options.tsx#L14-L24

I will try it again in an hour

yakov116 on 26 Nov 2020

It's a cache problem, not an API problem

Screen Shot 2020-11-26 at 17 37 11

Use cache: 'no-store'

const {headers} = await fetch('https://api.github.com/', { 
    cache: 'no-store',
    headers: {...}
});

fregante on 27 Nov 2020

🚀1 ❤1 👍1

THANKS! How did you know I just started wording on it!

yakov116 on 27 Nov 2020

🚀1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Close dropdowns when they scroll out of view

sindresorhus · 3Comments

Show actor real name in dashboard events

hkdobrev · 3Comments

Limit reaction avatars to 2 when there are too many

fregante · 3Comments

Explore is highlighted when selecting trending

yakov116 · 3Comments

Cross-repo issue link in issue title

durka · 3Comments