github.com certificate validation

[staabm]

would it make sense, before calling endpoints of the github.com api (and before sending secret accesstokens over the wire) to validate the ssl certificate of the endpoint, so we are sure we are actually sending the secret data over to github.com and not another system which pretends to be github.com?

as far as I understand the current code, the certificate is not validated right now?

if I read guzzle docs corretcly it should be possible to pass the github.com cert to verify so we can be sure about the other end of the TLS encryption: https://www.bookstack.cn/read/guzzlephp-7.0-en/spilt.28.239bab766e46db73.md

in case this is considered out-of-scope, because this package abstracts a away the http-client beeing used behind http-plug, it might be worthwhile to describe in https://github.com/KnpLabs/php-github-api/blob/master/doc/security.md how to validate the cert properly.

[acrobat]

Yes a docs entry would be indeed a good idea! (and a pr is welcome!) For actually implementing it in the library itself, I might not see it fit actually. First of all as you mentioned we abstracted away the actual httpclient so this can be added on application level wel you setup the httpclient with httplug. On the other hand this library can be used with an enterprise setup so validating github.com won't do the trick.

So all in all I'm more in favor of giving this a clear place in the docs so people who are looking for this kind of extra check are able to do it.