support 2fa about gitsome HOT 3 CLOSED

I might need to dig a little deeper.

Yeah, the Personal Token API is a bit weird, I had some exchange with support as well:

[snip] I believe we intentionally send 2FA OTPs via SMS only for PUT and POST requests to the authorizations API. Normally, you'd use a PUT or a POST to create a token, and then continue using that token for making API requests. Once you're done with the token -- you can revoke it via the web UI. Again, I agree it would be great if DELETEs sent an SMS as well, so I've opened an internal issue to see if we'd consider changing that. I can't promise an ETA, but we'll followup as soon as there's any news. For now, if you need an SMS for any API call -- you can trigger it with a POST to the authorizations API and then use the OTP for the call you really want to make.

So IIRC, the OTP are short lived, but you can use them for 2 differents requests, and can basically make a "fake" request that will just trigger the OTP to be sent, and then do your real requests.

My guess is that personal access token are a 2cd class citizen, and that's understandable, as they are inherently less secure than OAuth token, and that GitHub docs is mostly targeted as online services hooking up into GitHub (hence the response 2FA sms only for token request which might be true). Though the personal access token are technically login-in as you who are trying to do something on your repo, and not as an entity doing something on your behalf.

Anyway, I might give that a go at some point. I also have a yubi key in some drawer, I shoudl dig that out to see how it can be used for 2fa.

from gitsome.

Interesting, appreciate the info and code snippet.

I thought this wasn't do-able due to this issue: sigmavirus24/github3.py#387:

"if your using Basic Auth to authenticate and are using 2FA with SMS, the API will send 2FA SMSes with OTPs only for API requests to create tokens. This allows you to use the Authorizations API to create an OAuth token. If you're using other APIs and have 2FA enabled, you should authenticate using an OAuth token (instead of with username+password) because using an OAuth token doesn't require you to enter an OTP when making API calls. "

I might need to dig a little deeper.

Note, the following message is unclear:

I think you're right, I'll try to improve that message.

Thanks!

from gitsome.

Associated PR: #29

from gitsome.