Update GitHub configuration to require Personal Access Tokens.
Review Request #11017 — Created May 7, 2020 and submitted — Latest diff uploaded
GitHub has deprecated support for creating OAuth access tokens via the
API, instead requiring a web-based flow for creating tokens, or usage of
a Personal Access Token:https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-endpoint/
Since our UI still needs to be rewritten to handle a dynamic
authentication process, our current approach is to require a Personal
Access Token instead of a password.This is fairly straight-forward, fortunately. It just requires visiting
a page (which we link to), providing a token name, clicking a few
checkboxes for the scopes we need, and then pasting the resulting token
in the field. To help with this, we've renamed the "Account Username"
and "Account Password" fields to "GitHub Username" and "Personal Access
Token", and provided help text linking to the appropriate page and
listing the scopes to enable.During authorization, Review Board will make sure it has the scopes it
needs, displaying a helpful error if it doesn't.This also allows us to delete a whole bunch of code. We no longer need
to offer an option for resetting tokens, since this is managed by the
user and by GitHub. We also no longer need to worry about the rate limit
issues we used to have.Basically, We used to link up a token with our GitHub OAuth
Client/Secret IDs, if set in settings, which was originally built to
ensure higher rate limits and to tie those limits to a user and not
Review Board's IP address. This isn't needed with Personal Access
Tokens. Instead, rate limits will be bound to the user who owns those
tokens.This does not impact any existing users. However, once GitHub's
deprecations go fully into effect, which should happen in November 2020,
users will need to upgrade Review Board to 3.0.18 or higher in order to
link new accounts.Documentation has been updated to help users with the new process of
linking accounts.
Unit tests passed.
Tested linking new accounts using a Personal Access Token. I tested with
a token that had all the scopes that are required, and tokens that were
missing some combinations of scopes. Verified that a suitable error was
shown in these cases.Tested standard usage of accounts previously linked with the older tokens
and new ones linked with Personl Access Tokens. Verified both were working
without issues.Built the docs and checked for errors and bad links.