Skip to content
This repository has been archived by the owner on Nov 4, 2022. It is now read-only.

Use API keys by default #450

Closed
appsforartists opened this issue Jul 6, 2016 · 7 comments
Closed

Use API keys by default #450

appsforartists opened this issue Jul 6, 2016 · 7 comments

Comments

@appsforartists
Copy link

appsforartists commented Jul 6, 2016

gh delegates to the npm github module for authentication, which sends your username and password as an HTTP header. That feels insecure.

GitHub has personal access tokens for this purpose, which is what github is creating behind-the-scenes. Can we change the prompt to ask for a token, and completely avoid potentially sending real user credentials over-the-wire?

@henvic
Copy link
Member

henvic commented Jul 8, 2016

I wish GitHub had something like https://google.com/device (which I intend to use in a project which I am working on).

I am not doing this now, but I might find some time to do so in about 3 weeks (hopefully).

  • The ideal case would be using also public / private certificate on the client-side, instead of shared secret (tokens).

@brennantaylor
Copy link

I was able to use only my username and PAT by leaving the password blank in the ~/.gh.json.

@mohhasbias
Copy link

i think it is already supported in the current release.
we could use github token by fill in it in the .gh.json file.

there is github_token property in the file. https://github.com/node-gh/gh/blob/master/default.gh.json#L19

@mohhasbias
Copy link

i think, asking for github_token could be used instead of password.

@protoEvangelion
Copy link
Member

We could offer a list of authentication options using inquirer: https://github.com/SBoudrias/Inquirer.js#prompt-types

The list of options could include what @octokit/rest offers: https://github.com/octokit/rest.js#authentication

@kenshinji
Copy link

i think it is already supported in the current release.
we could use github token by fill in it in the .gh.json file.

there is github_token property in the file. https://github.com/node-gh/gh/blob/master/default.gh.json#L19

@mohhasbias Are you sure about that? This is what I got when I was using personal access token for accessing.

Screenshot 2019-05-08 at 10 09 03 AM

@protoEvangelion
Copy link
Member

@kenshinji you can generate a personal access token yourself here: https://github.com/settings/tokens/new

Add these scopes:

image

And then add to your ~/.gh.json

    "github_token": "yourtoken",
    "github_user": "yourusername",

This will allow you to bypass the prompt which is just a convenience method. All we do is generate the personal token and store it for you automatically. Please let me know if you have any issues with that.

I'm closing this for now as we will still offer the convenience method of generating the personal token for you.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants