-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement GitHub OAuth to restrict access #73
Open
danlivings-dxw
wants to merge
7
commits into
feature/use-github-webhooks
Choose a base branch
from
feature/use-auth
base: feature/use-github-webhooks
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danlivings-dxw
force-pushed
the
feature/use-auth
branch
from
October 17, 2024 12:46
39340ca
to
d915e23
Compare
danlivings-dxw
force-pushed
the
feature/use-github-webhooks
branch
from
October 17, 2024 13:00
e303c55
to
61f8d54
Compare
danlivings-dxw
force-pushed
the
feature/use-auth
branch
from
October 17, 2024 13:01
d915e23
to
e59e3b1
Compare
danlivings-dxw
force-pushed
the
feature/use-github-webhooks
branch
from
October 17, 2024 14:59
61f8d54
to
6f0fd81
Compare
danlivings-dxw
force-pushed
the
feature/use-auth
branch
from
October 17, 2024 15:01
e59e3b1
to
4f8638a
Compare
danlivings-dxw
force-pushed
the
feature/use-github-webhooks
branch
from
October 17, 2024 15:03
6f0fd81
to
0ed3848
Compare
This defines the `REDIRECT_URL_BASE` environment variable which can be used to configure which callback URL Towtruck provides when using the OAuth authentication flow. Octokit already provides as part of its middleware the ability to authenticate as a GitHub user, so Towtruck just needs to be able to hook into this process.
Towtruck should expose a login page rather than immediately redirecting to the GitHub auth page, both to avoid surprising the user and also to provide a landing area if more login methods are supported in the future. To make sure that this login page looks the same as the index page, `index.njk` has been split: - `base.njk` contains the `<head>` and outer body to the `.container` - `index.njk` contains the content found inside the `.container` A `login.njk` page has also been introduced that provides a link to the GitHub login webhook.
User tokens are stored as a cookie. If no valid token is presented, the user is shown the login page, which allows them to authorise Towtruck to access their account. This then redirects to the Towtruck callback URL, which generates the token and instructs the browser to store it before redirecting to the index page.
This allows basic path parameter recognition in the form of `/path/{with}/{parameters}` as well as verbatim paths. This will allow for things such as redirecting to a dedicated login route, or presenting dashboards for specific organisations.
This now saves repository-scoped data with the `name` being of the format `org/reponame`. This allows for a method like `getAllRepositoriesForOrg`, which provides two benefits: 1. Towtruck can provide per-organisation dashboards. 2. Towtruck can restrict access to organisations for which the logged in user should not have access.
The root path `/` now displays a list of organisations using Towtruck that the user is a member of. Items in the list link to organisation-specific dashboards available at `/{org}`. Users that aren't members of an organisation will be redirected back to the root path, preventing the unauthorised access to information about private repositories.
A link in the header is provided to logged in users. The `/logout` endpoint instructs the browser to delete the Token cookie and redirects the user to the root page.
danlivings-dxw
force-pushed
the
feature/use-auth
branch
from
October 17, 2024 15:03
4f8638a
to
289a884
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the GitHub OAuth authentication mechanism to allow Towtruck to identify who is using the app. This provides two main benefits:
Together, these prevent the potential leaking of information about private repositories to unauthorised users of the Towtruck application.
When using the Towtruck application for the first time, a user will be prompted to login using GitHub:
This will redirect to the GitHub App authorisation page:
Upon granting access to Towtruck, the user is redirected to the organisation index (the root path
/
):Each organisation's name is a link to the organisation-specific dashboard, which is now available at the
/{org}
path. Attempting to access an organisation for which the user is not a member will redirect to the index.Additionally, a "Logout" link is provided in the header, and the application title is now also a link to the index page.