[Bug 1940907] [NEW] [SRU] Authentication/Authorization broken due to GitHub platform changes

Launchpad Bug Tracker 1940907 at bugs.launchpad.net
Fri Sep 17 08:18:21 UTC 2021 

You have been subscribed to a public bug by Valters Jansons (sigv):

[Impact]

 * Gist upload (arguable as the core function of the package) is not
functioning. Package versions prior to 5.1.0 provide user's access token
as a query (URL) parameter, however GitHub changes now require it to be
provided as a HTTP(S) header:
https://developer.github.com/changes/2019-11-05-deprecated-passwords-
and-authorizations-api/#authenticating-using-query-parameters

 * --login is not functioning. Package versions prior to 6.0.0 use an
authentication endpoint that has been shut down since November 2020:
https://developer.github.com/changes/2020-02-14-deprecating-oauth-auth-
endpoint/

[Test Plan]

 * rm ~/.gist # stored credentials
 * gist-paste --login

Currently (5.0.0-4 focal) fails; output:
Obtaining OAuth2 access_token from github.
GitHub username: username
GitHub password:
RuntimeError: Got Net::HTTPNotFound from gist: {"message":"Not Found","documentation_url":"https://docs.github.com/rest"}

Expected web-based OAuth; output:
Requesting login parameters...
Please sign in at https://github.com/login/device
  and enter code: DEAD-BEEF
Success! https://github.com/settings/connections/applications/402bac389df41f24c62f

 * echo 'class Test {}' > Test.java
 * gist-paste -f Test.java -t java -p -d 'Fast method tester' -R Test.java

Currently (5.0.0-4 focal) fails; output:
Error: Got Net::HTTPBadRequest from gist: {"message":"Must specify access token via Authorization header. https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param","documentation_url":"https://docs.github.com/v3/#oauth2-token-sent-in-a-header"}

Expected randomly-generated Gist link; output:
https://gist.github.com/username/eed178872769488d84378b13de8bb698/raw

[Where problems could occur]

 * The SRU requires a rewrite of authentication workflow, with a new
OAuth (web-based) approach.

   The `--login` invocation previously accepted two inputs over stdin,
however it now waits for user to do carry out manual steps based on
instructions displayed (opening a page in web browser, and entering a
code, as visible in Test Plan above). Although automated scripts should
not be invoking `--login`, as the relevant token is stored persistently
in user's home, if in any case they do so then it could halt further
processing of the script.

[Other Info]

 * These changes have been tested as part of package release on prior Ubuntu versions, as well as landing in Debian stable:
   - Gist 5.1.0-1 was published in Groovy (20.10) with relevant HTTP(S) header change.
   - Gist 6.0.0-1 was published in Hirsute (21.04) with relevant changes for OAuth workflow (--login).

** Affects: gist (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: gist (Ubuntu Bionic)
     Importance: Undecided
         Status: Confirmed

** Affects: gist (Ubuntu Focal)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug focal
-- 
[SRU] Authentication/Authorization broken due to GitHub platform changes
https://bugs.launchpad.net/bugs/1940907
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list