Send PAT as authorization header rather than through the query string when downloading releases

[Zhaph]

I received the following notification from GitHub yesterday after downloading a release package on my device through Octodroid:

On May 2nd, 2020 at 01:12 (UTC) your personal access token (Octodroid - samsung SM-G935F) using AndroidDownloadManager/10 (Linux; U; Android 10; GM1903 Build/QKQ1.190716.003) was used as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/repositories/90656179/releases/assets/20145670

Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated. If this token is being used by an app you don't have control over, be aware that it may stop working as a result of this deprecation.

It would be great if this could be adjusted so that I can continue to download the occasional APK from repositories.

In this particular case the repository is public.

[maniac103]

Reopening since I need to revert the fix as it caused regressions (see #976).

[landry314]

Just got the same email today so it is still going to be an issue!

=======
On December 2nd, 2020 at 15:33 (UTC) your personal access token (Octodroid) using AndroidDownloadManager/11 (Linux; U; Android 11; Pixel 3 Build/RP1A.201105.002) was used as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/repositories/19611854/releases/assets/25532968

Please use the Authorization HTTP header instead, as using the access_token query parameter is deprecated. If this token is being used by an app you don't have control over, be aware that it may stop working as a result of this deprecation.

Depending on your API usage, we'll be sending you this email reminder on a monthly basis for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.

Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates.

[casperdcl]

From #976 (comment)

• in the redirection request, the Authorization header is still present

so why not remove it @maniac103?

[maniac103]

so why not remove it @maniac103?

I'm not sure why you're asking this here, but the reason is Android's download manager not being under Octodroid's control.

(Having said that, I would've sworn I already fixed #976 by implementing the workaround approach suggested by GH staff. Need to check where that commit went :-/ )

[casperdcl]

lol but I assume gh4a itself sends a web request and can thus handle the 302 response itself?

[maniac103]

lol but I assume gh4a itself sends a web request and can thus handle the 302 response itself?

So far, it doesn't. It takes the URL in the release asset object and passes that to the Android download manager. The new code adds another intermediate request for resolving the redirect.
(Fix will come in a minute, forgot to push it - will do a new release with it in the next 2 or 3 days)