• 
  
    
 
    
 
    

    



    
    
    
    
     
    






    
 
    


 
    



    
 

 

  

  

 

    


  
    





    
 
    



  

    
 
 
    
  
    Update GitHub configuration to require Personal Access Tokens.
    
 
    

    



 
    
 
    

  Review Request #11017
  —
  Created May 7, 2020 and submitted  — Latest diff uploaded 

 
    


    




    




    




 
    
  
    
   Information

  
    



    
 
 
    
  chipx86
 
    

    





    
 
 
    
  Review Board
 
    

    





    
 
 
    
  release-3.0.x
 
    

    





    
 
 
    
  
 
    

    





    
 
 
    
  
 
    

    



 
    



 
    
  
    
   Reviewers

  
    



    
 
 
    
  reviewboard
 
    

    





    
 
 
    
  
 
    

    



 
    



    


    
 
    




  

    
 
 
    
  
    GitHub has deprecated support for creating OAuth access tokens via the
    
API, instead requiring a web-based flow for creating tokens, or usage of
    
a Personal Access Token:
    

    https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/
    

    Since our UI still needs to be rewritten to handle a dynamic
    
authentication process, our current approach is to require a Personal
    
Access Token instead of a password.
    

    This is fairly straight-forward, fortunately. It just requires visiting
    
a page (which we link to), providing a token name, clicking a few
    
checkboxes for the scopes we need, and then pasting the resulting token
    
in the field. To help with this, we've renamed the "Account Username"
    
and "Account Password" fields to "GitHub Username" and "Personal Access
    
Token", and provided help text linking to the appropriate page and
    
listing the scopes to enable.
    

    During authorization, Review Board will make sure it has the scopes it
    
needs, displaying a helpful error if it doesn't.
    

    This also allows us to delete a whole bunch of code. We no longer need
    
to offer an option for resetting tokens, since this is managed by the
    
user and by GitHub. We also no longer need to worry about the rate limit
    
issues we used to have.
    

    Basically, We used to link up a token with our GitHub OAuth
    
Client/Secret IDs, if set in settings, which was originally built to
    
ensure higher rate limits and to tie those limits to a user and not
    
Review Board's IP address. This isn't needed with Personal Access
    
Tokens. Instead, rate limits will be bound to the user who owns those
    
tokens.
    

    This does not impact any existing users. However, once GitHub's
    
deprecations go fully into effect, which should happen in November 2020,
    
users will need to upgrade Review Board to 3.0.18 or higher in order to
    
link new accounts.
    

    Documentation has been updated to help users with the new process of
    
linking accounts.
    
 
    

    





  

    
 
 
    
  
    Unit tests passed.
    

    Tested linking new accounts using a Personal Access Token. I tested with
    
a token that had all the scopes that are required, and tokens that were
    
missing some combinations of scopes. Verified that a suitable error was
    
shown in these cases.
    

    Tested standard usage of accounts previously linked with the older tokens
    
and new ones linked with Personl Access Tokens. Verified both were working
    
without issues.
    

    Built the docs and checked for errors and bad links.
    
 
    

    




 
    

    





    
 
    









 
    
  
  
    

   
    
    
    
     
    
     
    
     
    
    
    
   
    

   
    
  
    
 
    




 
    

    




   
    
    
    
    
    
    
    
    

    
    
      
    Commits
    
      
    
        
      
    
    
    

    
    

      
    Files