Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecation for authentication via URL query parameters #83

Closed
ybiquitous opened this issue Feb 4, 2020 · 3 comments · Fixed by #84
Closed

Deprecation for authentication via URL query parameters #83

ybiquitous opened this issue Feb 4, 2020 · 3 comments · Fixed by #84

Comments

@ybiquitous
Copy link

ybiquitous commented Feb 4, 2020
edited

Hi! I've received the following email from GitHub since yesterday:

Subject: [GitHub API] Deprecation notice for authentication via URL query parameters

Hello there!

On February 3rd, 2020 at 23:51 (UTC) your application (*****) used an access token (with the User-Agent Faraday v0.17.3) as part of a query parameter to access an endpoint through the GitHub API.

https://api.github.com/user

Please use the Authorization HTTP header instead as using the `access_token` query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.

Thanks,
The GitHub Team

See also https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters

I've identified the problem in the following places:

omniauth-github/lib/omniauth/strategies/github.rb

Lines 45 to 48 in 2e77639

def raw_info
access_token.options[:mode] = :query
@raw_info ||= access_token.get('user').parsed
end

omniauth-github/lib/omniauth/strategies/github.rb

Lines 60 to 64 in 2e77639

def emails
return [] unless email_access_allowed?
access_token.options[:mode] = :query
@emails ||= access_token.get('user/emails', :headers => { 'Accept' => 'application/vnd.github.v3' }).parsed
end

When I try the following monkey patch on my environment, it works! 🎉

class OmniAuth::Strategies::GitHub
  def raw_info
    access_token.options[:mode] = :header
    @raw_info ||= access_token.get('user').parsed
  end

  def emails
    return [] unless email_access_allowed?
    access_token.options[:mode] = :header
    @emails ||= access_token.get('user/emails', :headers => { 'Accept' => 'application/vnd.github.v3' }).parsed
  end
end

Here is the essential change: ⬇️

-access_token.options[:mode] = :query
+access_token.options[:mode] = :header

I don't want to depend on such a monkey-patch in my codebase, so I'm ready to open a new pull request if you could accept the workaround. 😄

Environment

  • Ruby 2.6.5
  • omniauth (1.9.0)
  • omniauth-oauth2 (1.6.0)
  • omniauth-github (1.3.0)
@tomhughes tomhughes mentioned this issue Feb 4, 2020
Closed
@Firefishy Firefishy mentioned this issue Feb 4, 2020
Merged
@ruebot ruebot mentioned this issue Feb 5, 2020
Closed
@ybiquitous
Copy link
Author

Thanks a lot! 🎉

@ssaunier
Copy link

ssaunier commented Feb 7, 2020
edited

Thanks for the quick fix 🙏

Any plan on pushing a new version to Rubygems?

[EDIT] Oh I see this is being discussed in #84, sorry 🙈

@BobbyMcWho
Copy link
Member

I'll leave this here so folks can find it

#88 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use header auth mode for user and email requests DazWorrall/omniauth-github
3 participants
@ssaunier @ybiquitous @BobbyMcWho