[Github] Pass access token in a header. #428
Conversation
https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters > GitHub is deprecating authentication to the GitHub API using query parameters, such as using a access_token query parameter ....... https://developer.github.com/v3/auth/#basic-authentication
|
Would be good to have a release with that, otherwise github will spam us all 3 days for every app we use with social-auth against github. |
|
Fixes: #430 |
|
@omab Any chance you get a few minutes to review & merge this change ? |
|
I reached out to @omab over email. Hopefully this will get things going wrt to this PR. |
There was a problem hiding this comment.
Hi @asherf ,
GithubMemberOAuth2.user_data (Line 81) also has a self.request with access_token as param, I think we should change it also to the new header style, no? Thank you
|
Would also be nice once the merge has been completed, to provide a small update on what existing apps should do beyond a dependency upgrade, like a one-paragraph summary that says "place your token in the config file and then change this line of code here". |
|
I’m also worried about updating a production app with a version of social core from a couple of years ago, so I’d want to discuss how/if to go about that. |
Here we forked the repository, inside our organization, in the same version that we're currently using, and I did the required changes (similar to this PR changes) myself, and I'm adding a .zip file address provided by Github to the requirements.txt file. |
|
That seems like a good idea @rafaelcapucho - the changes are minimal and if it's only the header (and the functions are the same) it should be relatively easy to map. I think I'll wait until this is finished / done (merged) before doing this for my application. |
|
Tried reaching out via email and twitter... |
|
Huge +1 to what @asherf has contributed and said above. The deadline is approaching, and a lot of us are going to be forced to make change to our servers soon. It would be great to have a reviewed, and merged fix for this. |
|
Link to twitter in case other people want to try and reach out. |
|
This has been causing me quite some anxiety for a while, and (I have an older version of social auth) but I was able to make a custom backend with the needed changes that appears to be working. Here is the minimum example: from social_core.backends.github import GithubOAuth2
from six.moves.urllib.parse import urljoin
# Update headers to use token
# https://github.com/python-social-auth/social-core/pull/428/files
class ShubGithubOAuth2(GithubOAuth2):
def _user_data(self, access_token, path=None):
url = urljoin(self.api_url(), 'user{0}'.format(path or ''))
return self.get_json(url, headers={'Authorization': 'token {0}'.format(access_token)})And I also did this for my private version of the login (basically the same but with different permissions, not shown). Then in the settings.py (or however you store that) instead of importing the module from social_core, I import it from my file: # Python-social-auth
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
# 'social_core.backends.github.GithubOAuth2',
'shub.apps.users.views.auth.ShubGithubOAuth2',
'shub.apps.users.views.auth.GithubPrivateOAuth2',
'guardian.backends.ObjectPermissionBackend',
)I suspect if you use the And so far so good! The ultimate test will be if/when the date passes and to see if the thing stops working :P |
Pinging OSS authors on Twitter, especially excessively is not the right way to go. That gets very frustrating very fast, regardless of the reasons authors don't reply. I am an author myself so I know (pylint-django among others). OTOH @omab should take care to secure the future of the project by finding a few more co-maintainers. Clearly this project needs it. In the past I had reached out with proposal to help but didn't get a reply. FTR I still volunteer to help b/c one of my projects is heavily dependent on social-core and social-django. I don't like to fork or carry around modules and classes copied from upstream. I will happily review pull requests, make sure they look good and have tests and build new versions for PyPI. |
Obviously I didn't intend for people to bombard him with messages.... but tbh it is somewhat frustrating that I can't get a reply for him via email (sent ~3 emails over the past month or so), so..... I would love it if you have any suggestion on how we can continue from here. since it seems this project as a lot of people active on it (creating PRs & issues) but there seem to be a single maintainer that doesn't seem to respond... |
|
I think if he is busy, or chooses not to respond, that's probably his right - being an open source maintainer doesn't mean that you owe the community anything. We can't demand a response based on a timeline set by a third party. We would hope that there would be support, but we also don't know the kind of workload or incentives that he currently has. So what to do? We each have to optimize for our own needs. That could mean any, some subset, or all of the following:
I know it's frustrating, but I think we need to have compassion. We don't know the kind of things that @omab is dealing with, and I think as an open source maintainer for a very active and successful project, we should give him space. There is likely a reason he can't do this now. The fixes aren't so crazy that it's not possible to patch for the time being. When he is ready and engages, we can have discussion about how we can better help him in the future. |
|
Thanks for the change, as for the maintenance topic, I've posted a reply on the dedicated issue #445. |
https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters
https://developer.github.com/v3/auth/#basic-authentication