Make GitHub username searchable again about mozillians HOT 14 CLOSED

I agree that this is a bit inconvenient - would like for someone to pick up on this feature request.

from mozillians.

@hmitsch What would it take to get this on the roadmap. @hwine and I could really use this for our work in administering the github.com/mozilla organization. At the moment we can't see user's GitHub usernames in mozillians.org

from mozillians.

The easiest solution is to add the GitHub username in the db when a user verifies a GItHub account and display it probably next to the GitHub Profile Identity. After that is just a matter of adding one more field to the index in order to make it searchable again.

from mozillians.

I may have stuffed too much tin foil in my hat this morning, but do we "age out" the verification?

I.e. people can change their GitHub logins (text) at will -- without sufficient coffee, I'm unsure of how easy it'd be to social engineer to get control of a confirmed login name and escalate that to "bad stuff". (The id is permanent, but that requires lookups.)

@gene1wood -- any concerns? I don't think there would be any excessive exposure on the GitHub side, but I'm unsure of what other access this could authenticate.

from mozillians.

Just to clarify, the GitHub username will not be used anywhere in mozillians for login. Mozillians will only get the Github nickname when a user verifies a Github account through Auth0 or will update it in case it has changed every time the user uses the Github method to login via Auth0. The nickname will only be used for display purposes in the profiles.

from mozillians.

@hwine

but do we "age out" the verification?

No. Is the concern around a user with a GitHub account verifying it in Mozillians, then later closing out their GitHub account (if that's possible) and then an attacker registering their old username (if that's possible)?

people can change their GitHub logins (text) at will

Is this true? Can a GitHub user change their GitHub username in GitHub?

from mozillians.

@akatsoulas

The easiest solution is to add the GitHub username in the db when a user verifies a GItHub account and display it probably next to the GitHub Profile Identity.

We should probably do this for all the identities that a user can verify in mozillians (not just GitHub).

from mozillians.

@gene1wood

Is this true? Can a GitHub user change their GitHub username in GitHub?

Yes - all customer generated names are changeable. (User, Org, Repository). GitHub lists caveats about impact of name changes, but does not prevent it.. I think, but have not confirmed, that GitHub will support name changes by generating 301 responses. (GitHub does do this for repository ownership transfers, until someone re-uses the original owner/repo combo.)

What is a unique identifier inside GitHub is the "node_id" field of each resource. The current value of that field can be determined or checked with one API call for each GitHub verification.

from mozillians.

The nickname will only be used for display purposes in the profiles.

I think I finally understand the implications of this statement. D'oh!

@gene1wood I'm no longer sure this mapping will be sufficient for some of our use cases :( -- let's find a whiteboard and talk it through offline.

from mozillians.

➤ Viorela Ioia commented:

Opened #2360

from mozillians.

@hwine do you want to add our findings from our whiteboard conversation the other day?

from mozillians.

/me tries to recap - that was last week!

Summary

"Login" and other resource display identifiers on GitHub can be changed by the resource owner at any time (thanks to @gene1wood for confirming). So storing only the "login" text is insufficient for code which needs to strongly authenticate users before performing GitHub operations on their behalf. Code needing strong authentication can verify with GitHub that the "login" still has the same "id" as has been stored. (i.e. code needs a way to query both the "login" and "id" in a Mozillian's record.)

More concretely, the mozillian's db should:

• store both the login text (e.g. 'hwine') and the v4 id (e.g. "MDQ6VXNlcjEzMjQxMg==")
• UI should allow search by login
• API should provide both login and id for a user
• API should allow query by login
• bonus: API may allow query by id

Background

User and other resource ID's on GitHub

GitHub is (slowly) transitioning their API from their REST (v3) to GraphQL (v4). Each system has a different way of expressing unique identifiers. Fortunately, responses often contain both identifiers to aid in the transition. We should retrieve and store the v4 "id" (aka "node id") for authentication. This used to require a 2nd query to GitHub processes using the REST api, but as of 2018-05-30 the v4 it should be returned in most calls.

Usage

There's an example of how things could work in this gist

from mozillians.

This was closed by the bot. Reopening

from mozillians.

I would like to work on this issue. @gene1wood can you tell me how to proceed?

from mozillians.