Update GitHub configuration to require Personal Access Tokens.

Review Request #11017 — Created May 7, 2020 and submitted

Information

Review Board
release-3.0.x

Reviewers

GitHub has deprecated support for creating OAuth access tokens via the
API, instead requiring a web-based flow for creating tokens, or usage of
a Personal Access Token:

https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/

Since our UI still needs to be rewritten to handle a dynamic
authentication process, our current approach is to require a Personal
Access Token instead of a password.

This is fairly straight-forward, fortunately. It just requires visiting
a page (which we link to), providing a token name, clicking a few
checkboxes for the scopes we need, and then pasting the resulting token
in the field. To help with this, we've renamed the "Account Username"
and "Account Password" fields to "GitHub Username" and "Personal Access
Token", and provided help text linking to the appropriate page and
listing the scopes to enable.

During authorization, Review Board will make sure it has the scopes it
needs, displaying a helpful error if it doesn't.

This also allows us to delete a whole bunch of code. We no longer need
to offer an option for resetting tokens, since this is managed by the
user and by GitHub. We also no longer need to worry about the rate limit
issues we used to have.

Basically, We used to link up a token with our GitHub OAuth
Client/Secret IDs, if set in settings, which was originally built to
ensure higher rate limits and to tie those limits to a user and not
Review Board's IP address. This isn't needed with Personal Access
Tokens. Instead, rate limits will be bound to the user who owns those
tokens.

This does not impact any existing users. However, once GitHub's
deprecations go fully into effect, which should happen in November 2020,
users will need to upgrade Review Board to 3.0.18 or higher in order to
link new accounts.

Documentation has been updated to help users with the new process of
linking accounts.

Unit tests passed.

Tested linking new accounts using a Personal Access Token. I tested with
a token that had all the scopes that are required, and tokens that were
missing some combinations of scopes. Verified that a suitable error was
shown in these cases.

Tested standard usage of accounts previously linked with the older tokens
and new ones linked with Personl Access Tokens. Verified both were working
without issues.

Built the docs and checked for errors and bad links.

Summary ID
Update GitHub configuration to require Personal Access Tokens.
GitHub has deprecated support for creating OAuth access tokens via the API, instead requiring a web-based flow for creating tokens, or usage of a Personal Access Token: https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/ Since our UI still needs to be rewritten to handle a dynamic authentication process, our current approach is to require a Personal Access Token instead of a password. This is fairly straight-forward, fortunately. It just requires visiting a page (which we link to), providing a token name, clicking a few checkboxes for the scopes we need, and then pasting the resulting token in the field. To help with this, we've renamed the "Account Username" and "Account Password" fields to "GitHub Username" and "Personal Access Token", and provided help text linking to the appropriate page and listing the scopes to enable. During authorization, Review Board will make sure it has the scopes it needs, displaying a helpful error if it doesn't. This also allows us to delete a whole bunch of code. We no longer need to offer an option for resetting tokens, since this is managed by the user and by GitHub. We also no longer need to worry about the rate limit issues we used to have. Basically, We used to link up a token with our GitHub OAuth Client/Secret IDs, if set in settings, which was originally built to ensure higher rate limits and to tie those limits to a user and not Review Board's IP address. This isn't needed with Personal Access Tokens. Instead, rate limits will be bound to the user who owns those tokens. This does *not* impact any existing users. However, once GitHub's deprecations go fully into effect, which should happen in November 2020, users will need to upgrade Review Board to 3.0.18 or higher in order to link new accounts. Documentation has been updated to help users with the new process of linking accounts.
edb4c0f03f936c9b8bf5d85d1814cb8021593789

Description From Last Updated

Can you add a docstring?

daviddavid

Performs -> Perform

daviddavid

Can you add a docstring?

daviddavid

Can you add a docstring?

daviddavid
david
  1. 
      
  2. reviewboard/hostingsvcs/github.py (Diff revision 1)
     
     
    Show all issues

    Can you add a docstring?

    1. I went back and forth on this, because I'm going to be ripping all this out in release-4.0.x, but sure.

  3. reviewboard/hostingsvcs/github.py (Diff revision 1)
     
     
    Show all issues

    Can you add a docstring?

  4. reviewboard/hostingsvcs/github.py (Diff revision 1)
     
     
    Show all issues

    Can you add a docstring?

  5. 
      
chipx86
david
  1. 
      
  2. reviewboard/hostingsvcs/github.py (Diff revisions 1 - 2)
     
     
    Show all issues

    Performs -> Perform

  3. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-3.0.x (c4500b0)