[Bug 1940907] Re: [SRU] Authentication/Authorization broken due to GitHub platform changes

Mathew Hodson 1940907 at bugs.launchpad.net
Sat Sep 25 04:34:26 UTC 2021 

** Changed in: gist (Ubuntu)
   Importance: Undecided => Medium

** Changed in: gist (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: gist (Ubuntu Focal)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1940907

Title:
  [SRU] Authentication/Authorization broken due to GitHub platform
  changes

Status in gist package in Ubuntu:
  Fix Released
Status in gist source package in Bionic:
  Confirmed
Status in gist source package in Focal:
  Confirmed

Bug description:
  [Impact]

   * Gist upload (arguable as the core function of the package) is not
  functioning. Package versions prior to 5.1.0 provide user's access
  token as a query (URL) parameter, however GitHub changes now require
  it to be provided as a HTTP(S) header:
  https://developer.github.com/changes/2019-11-05-deprecated-passwords-
  and-authorizations-api/#authenticating-using-query-parameters

   * --login is not functioning. Package versions prior to 6.0.0 use an
  authentication endpoint that has been shut down since November 2020:
  https://developer.github.com/changes/2020-02-14-deprecating-oauth-
  auth-endpoint/

  [Test Plan]

   * rm ~/.gist # stored credentials
   * gist-paste --login

  Currently (5.0.0-4 focal) fails; output:
  Obtaining OAuth2 access_token from github.
  GitHub username: username
  GitHub password:
  RuntimeError: Got Net::HTTPNotFound from gist: {"message":"Not Found","documentation_url":"https://docs.github.com/rest"}

  Expected web-based OAuth; output:
  Requesting login parameters...
  Please sign in at https://github.com/login/device
    and enter code: DEAD-BEEF
  Success! https://github.com/settings/connections/applications/402bac389df41f24c62f

   * echo 'class Test {}' > Test.java
   * gist-paste -f Test.java -t java -p -d 'Fast method tester' -R Test.java

  Currently (5.0.0-4 focal) fails; output:
  Error: Got Net::HTTPBadRequest from gist: {"message":"Must specify access token via Authorization header. https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param","documentation_url":"https://docs.github.com/v3/#oauth2-token-sent-in-a-header"}

  Expected randomly-generated Gist link; output:
  https://gist.github.com/username/eed178872769488d84378b13de8bb698/raw

  [Where problems could occur]

   * The SRU requires a rewrite of authentication workflow, with a new
  OAuth (web-based) approach.

     The `--login` invocation previously accepted two inputs over stdin,
  however it now waits for user to do carry out manual steps based on
  instructions displayed (opening a page in web browser, and entering a
  code, as visible in Test Plan above). Although automated scripts
  should not be invoking `--login`, as the relevant token is stored
  persistently in user's home, if in any case they do so then it could
  halt further processing of the script.

  [Other Info]

   * These changes have been tested as part of package release on prior Ubuntu versions, as well as landing in Debian stable:
     - Gist 5.1.0-1 was published in Groovy (20.10) with relevant HTTP(S) header change.
     - Gist 6.0.0-1 was published in Hirsute (21.04) with relevant changes for OAuth workflow (--login).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gist/+bug/1940907/+subscriptions

More information about the Ubuntu-sponsors mailing list