Update GitHub configuration to require Personal Access Tokens.

 






 

 


  Review Request #11017
  —
  Created May 7, 2020 and submitted  — Latest diff uploaded 

 


















 

  

   Information

  





 
 

  chipx86
 









 
 

  Review Board
 









 
 

  release-3.0.x
 









 
 

  
 









 
 

  
 






 




 

  

   Reviewers

  





 
 

  reviewboard
 









 
 

  
 






 








 





  


 
 

  
GitHub has deprecated support for creating OAuth access tokens via the

API, instead requiring a web-based flow for creating tokens, or usage of

a Personal Access Token:


https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/


Since our UI still needs to be rewritten to handle a dynamic

authentication process, our current approach is to require a Personal

Access Token instead of a password.


This is fairly straight-forward, fortunately. It just requires visiting

a page (which we link to), providing a token name, clicking a few

checkboxes for the scopes we need, and then pasting the resulting token

in the field. To help with this, we've renamed the "Account Username"

and "Account Password" fields to "GitHub Username" and "Personal Access

Token", and provided help text linking to the appropriate page and

listing the scopes to enable.


During authorization, Review Board will make sure it has the scopes it

needs, displaying a helpful error if it doesn't.


This also allows us to delete a whole bunch of code. We no longer need

to offer an option for resetting tokens, since this is managed by the

user and by GitHub. We also no longer need to worry about the rate limit

issues we used to have.


Basically, We used to link up a token with our GitHub OAuth

Client/Secret IDs, if set in settings, which was originally built to

ensure higher rate limits and to tie those limits to a user and not

Review Board's IP address. This isn't needed with Personal Access

Tokens. Instead, rate limits will be bound to the user who owns those

tokens.


This does not impact any existing users. However, once GitHub's

deprecations go fully into effect, which should happen in November 2020,

users will need to upgrade Review Board to 3.0.18 or higher in order to

link new accounts.


Documentation has been updated to help users with the new process of

linking accounts.

 








  


 
 

  
Unit tests passed.


Tested linking new accounts using a Personal Access Token. I tested with

a token that had all the scopes that are required, and tokens that were

missing some combinations of scopes. Verified that a suitable error was

shown in these cases.


Tested standard usage of accounts previously linked with the older tokens

and new ones linked with Personl Access Tokens. Verified both were working

without issues.


Built the docs and checked for errors and bad links.

 







 









 





  








 

  
  


   

    

     

     

     

    

   


   

  

 





 







   

    
    

    

    


    

      
Commits

      

        
      

    


    


      
Files


      

       
      

    

    

   

  

 





    


    

    





     
    
    
    
   
    
  
    
  
    
   
   Loading...