Comments (14)
I agree that this is a bit inconvenient - would like for someone to pick up on this feature request.
from mozillians.
@hmitsch What would it take to get this on the roadmap. @hwine and I could really use this for our work in administering the github.com/mozilla organization. At the moment we can't see user's GitHub usernames in mozillians.org
from mozillians.
The easiest solution is to add the GitHub username in the db when a user verifies a GItHub account and display it probably next to the GitHub Profile Identity. After that is just a matter of adding one more field to the index in order to make it searchable again.
from mozillians.
I may have stuffed too much tin foil in my hat this morning, but do we "age out" the verification?
I.e. people can change their GitHub logins (text) at will -- without sufficient coffee, I'm unsure of how easy it'd be to social engineer to get control of a confirmed login name and escalate that to "bad stuff". (The id is permanent, but that requires lookups.)
@gene1wood -- any concerns? I don't think there would be any excessive exposure on the GitHub side, but I'm unsure of what other access this could authenticate.
from mozillians.
Just to clarify, the GitHub username will not be used anywhere in mozillians for login. Mozillians will only get the Github nickname when a user verifies a Github account through Auth0 or will update it in case it has changed every time the user uses the Github method to login via Auth0. The nickname will only be used for display purposes in the profiles.
from mozillians.
but do we "age out" the verification?
No. Is the concern around a user with a GitHub account verifying it in Mozillians, then later closing out their GitHub account (if that's possible) and then an attacker registering their old username (if that's possible)?
people can change their GitHub logins (text) at will
Is this true? Can a GitHub user change their GitHub username in GitHub?
from mozillians.
The easiest solution is to add the GitHub username in the db when a user verifies a GItHub account and display it probably next to the GitHub Profile Identity.
We should probably do this for all the identities that a user can verify in mozillians (not just GitHub).
from mozillians.
Is this true? Can a GitHub user change their GitHub username in GitHub?
Yes - all customer generated names are changeable. (User, Org, Repository). GitHub lists caveats about impact of name changes, but does not prevent it.. I think, but have not confirmed, that GitHub will support name changes by generating 301 responses. (GitHub does do this for repository ownership transfers, until someone re-uses the original owner/repo combo.)
What is a unique identifier inside GitHub is the "node_id
" field of each resource. The current value of that field can be determined or checked with one API call for each GitHub verification.
from mozillians.
The nickname will only be used for display purposes in the profiles.
I think I finally understand the implications of this statement. D'oh!
@gene1wood I'm no longer sure this mapping will be sufficient for some of our use cases :( -- let's find a whiteboard and talk it through offline.
from mozillians.
➤ Viorela Ioia commented:
Opened #2360
from mozillians.
@hwine do you want to add our findings from our whiteboard conversation the other day?
from mozillians.
/me tries to recap - that was last week!
Summary
"Login" and other resource display identifiers on GitHub can be changed by the resource owner at any time (thanks to @gene1wood for confirming). So storing only the "login" text is insufficient for code which needs to strongly authenticate users before performing GitHub operations on their behalf. Code needing strong authentication can verify with GitHub that the "login" still has the same "id" as has been stored. (i.e. code needs a way to query both the "login" and "id" in a Mozillian's record.)
More concretely, the mozillian's db should:
- store both the login text (e.g. 'hwine') and the v4 id (e.g. "MDQ6VXNlcjEzMjQxMg==")
- UI should allow search by login
- API should provide both login and id for a user
- API should allow query by login
- bonus: API may allow query by id
Background
User and other resource ID's on GitHub
GitHub is (slowly) transitioning their API from their REST (v3) to GraphQL (v4). Each system has a different way of expressing unique identifiers. Fortunately, responses often contain both identifiers to aid in the transition. We should retrieve and store the v4 "id" (aka "node id") for authentication. This used to require a 2nd query to GitHub processes using the REST api, but as of 2018-05-30 the v4 it should be returned in most calls.
Usage
There's an example of how things could work in this gist
from mozillians.
This was closed by the bot. Reopening
from mozillians.
I would like to work on this issue. @gene1wood can you tell me how to proceed?
from mozillians.
Related Issues (20)
- (Account linking) Introspect idenities to get GitHub username.
- (Account linking) Remove racheting logic from mozillians.org
- Link to Mastodon
- Cannot login passwordless in mozillians staging after logging in with fxa first time in deratcheting world
- Readthedocs (and other GitHub services) integration no longer working
- User is able login with github in mozillians after adding an LDAP identity, when emails are different HOT 3
- Unvouched users can be invited to nda group HOT 1
- is there an add on reviewer in this thread? HOT 1
- support for public view of group
- CODE_OF_CONDUCT.md file missing HOT 1
- Branding does not match the current Mozilla branding HOT 6
- A question re: disability. HOT 2
- Leaving the NDA-STAFF group removes you from the old NDA group and other access groups HOT 2
- mozillian.org profile removing repeatedly (Fix Bug 1585611) HOT 1
- Invalid link in How to Contribute: Parameters Required
- Is anyone reviewing Pull Requests?
- Pdf files does not open directly
- File a bug points to Bugzilla
- Vouching claims to support Markdown, but output does not HOT 1
- Travis CI free usage ends Dec 3; mozilla repos should switch to other CI platforms
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mozillians.