top | item 39730929

(no title)

I was a Mintlify customer 6 months ago and found their onboarding strange. Their Github app asked for permissions to access all my repos and there was no way to get around that. I just wanted to give them access to my docs repo not my app repo. Ended up having to dig through their settings page and revoking that permission after onboarding.

For customer OAuth tokens, I believe you should NEVER store the access token in the database. Only store the refresh token in the database. When you need api access, get a new access token with the refresh token and client secret.

This prevents incidents like the above as the attacker would also need your client secret, which is ideally not in your database.

discuss

e40|1 year ago

Too generous permissions are something that often makes me not install software. Zoom apps for example. Slack apps another example. Mostly browser extensions.

PierceJoy|1 year ago

The browser extension permission model is so bad. It’s prevented me from using 99% of extensions I was interested in.

junon|1 year ago

This is pretty typical of GitHub, unfortunately. They have terrible scoping and don't give developers the option to even give users that flexibility. It's been like this for over a decade, I don't think GitHub will ever learn.

oefrha|1 year ago

Wrong. “GitHub Apps” always (?) had fine-grained repo-scoped permissions, it’s the “OAuth apps” that are stuck with coarse-grained permissions. So developers do have the option, it’s even the preferred option.[1]

> In general, GitHub Apps are preferred over OAuth apps.

[1] https://docs.github.com/en/apps/oauth-apps/building-oauth-ap...

Ruepler|1 year ago

Exactly. You'd need to implement standard authentication mechanisms, preventing these vectors of attack from existing in the first place.

They are "in the process" and "looking" to do that. As of now if I am not mistaken the main issue still persists and any other new security vulnerability will possibly give full access to tokens again.

Correct me if I am wrong please but I don't see anything in the comment or Blog post saying otherwise.

> and are also in the process of completely deprecating the admin tokens for a more secure internal authentication procedure. Not to mention, we're also looking to fully deprecate the need of the GitHub OAuth tokens entirely in the coming weeks.

https://www.reddit.com/r/cscareerquestions/comments/1bh22bq/...

unknown|1 year ago

[deleted]