Hey!

Have been exploring the options of trying to get around Github's OAuth2 authentication and really struggling to find a way and came across this project.

Are there any security concerns I would need to take into consideration when using the service? I assume an instance can be self-hosted, but i'm pretty new to OAuth and other authentication protocols.

If I could get some advice or help, it would be great

We should add and enforce styling rules for our codebase through either eslint and/or prettier.

That should be also enforced in CI.

Discussions about the tool and styles could take place here...

When you run npm install, you get a warning that the license field is missing:

Hi all 👋🏻 long time no see. I've had some reports from users of JKAN that the authentication isn't working. Upon investigation, it looks like the issue is that our gatekeeper "Deploy to Heroku" button was deploying the development branch, and that branch isn't working (see #64).

I'm assuming the default branch used to be master, and at some point it switched to development, after work on the new version began.

The heroku button code snippet tends to leave out the branch, e.g.:

<a href="https://heroku.com/deploy?template=https://github.com/prose/gatekeeper">
  <img src="https://www.herokucdn.com/deploy/button.svg" alt="Deploy">
</a>

So it uses the default git branch. When the default branch changed to development (or when the development branch stopped working), any instances deployed via a button like this after that point would not have worked (not sure when that was).

For now, you can resolve this issue by appending the branch name to the button snippet, e.g.:

<a href="https://heroku.com/deploy?template=https://github.com/prose/gatekeeper/tree/master">
  <img src="https://www.herokucdn.com/deploy/button.svg" alt="Deploy">
</a>

But if there are a lot of "Deploy to Heroku" buttons out there without the explicit branch name, I'd recommend changing the default branch back to master, or getting the development branch into a state that works on a fresh Heroku deploy.

Why is there a Cakefile? Seems like it's roughly equivalent to doing the same without Coffeescript or a nodejs module that just execs out:

gatekeeper➟ heroku create
gatekeeper➟ heroku apps:rename mistakes_auth
gatekeeper➟ heroku apps:rename mistakesauth
gatekeeper➟ heroku config:add OAUTH_CLIENT_ID=...
gatekeeper➟ heroku config:add OAUTH_SECRET...
gatekeeper➟ git push heroku master

GitHub's security vulnerability scan found a security vulnerability of moderate severity in the version of the serve-index dependency used by this project. It suggests upgrading the serve-index dependency to version ~1.6.3 or greater.

We need a sufficient enough test suite to be able to be confident about future refactors.

The test framework / runner needs to be discussed.

tape was mentioned, which is known to be a quite lightweight solution. However, in my opinion, adding things like mock suppport needs more configuration to work.

I also would like to add jest to the discussion, which is more a batteries included solution. Nice features are integrated snapshot testing (good for APIs), mocking and a quick interactive watch mode.

More opinions on test runners/framework welcome.

Also desirable would be some kind of CI setup, eg travis

GitHub's security vulnerability scan found a security vulnerability of moderate severity in the version of the send dependency used by this project. It suggests upgrading the send dependency to version ~0.11.1 or greater.

https://blog.heroku.com/archives/2014/8/7/heroku-button

Hi @dereklieu
I am trying to setup prose for gitlab. repo https://github.com/justinechacko/editor1
sit http://editor1.justinechacko.in/
upon authorisation it gives me error like "Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
My addressbar was https://meta.iilab.org/oauth/authorize?client_id=ccaee7d09ab99c8772a9eaf2a8af0821689024cd4429cd3f334d9a9169edf756&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F&response_type=code
Please help. Thanks.

It would be helpful to specify in the config certain scopes that a user is granting access to. Use case:

• Deployed instance of Prose + Gatekeeper only want enable people to edit their organization's repos

Perhaps this filtering is already possible somehow I'm just unaware...

First things first: I used gatekeeper in a little side project and it worked great for me.

But, looking at the source, the project starts to feel a little aged. This might turn potential users off and to newer solutions like micro-github or micro-auth.
Although they look like great work as well, I like gatekeeper's concept more, as it does not put the access token in the users query url.

So I propose working on a new major release/overhaul of gatekeeper.
Changes I have in mind (in no particular order):

• Using new ES2017 Syntax and changing node engine condition to v8 (which will be lts end of october). -> see #41
• Upgrading express or switching to another server framework like micro. Used version of express has some security flaws.-> see #43
• Committing to semver, so people know when to expect upgrade work. Right now, gatekeeper seems to be stuck at 0.1.0, which means we could release the proposed overhaul as 1.0.0. -> see #42
• Writing tests and using some kind of cloud CI (-> travis?). -> see #40
• Add linting and/or prettier. -> see #46
• Splitting up that one server.js file in smaller chunks ? -> see #41
• Adding contributing guidelines and enforcing a CoC, see community suggestions from github.
• Improving the readme, especially in regard to the configuration steps you have to do in github.
• Maybe adding some place for discussion like gitter or slack.
• ...

What do you think about that? Happy to discuss this and other ideas.

I would also like to participate in this upgrade.

I noticed gatekeeper logs the github client secret, as well as the users codes and tokens to console output.

That is a security issues in settings, there one doesn't control the log output / server env.

For example, zeit's now.sh seems to show the logs publicly on their public plan. There the logging would quickly become a major security issue.
(Otherwhise deploying gatekeeper to now.sh would be a great option imo)

I could send a PR with sanitized log output, if you are interested in that. Please let me know.

Hi Michael ....

I copied the server.js ,config.json files in my app...I am using Github.js to do the operations on github.It showing "Error : Uncaught ReferenceError: require is not defined server.js:1".and oe more thing i want achieve step3:"Request the actual token using your instance of Gatekeeper, which knows your client_secret." in javascript....

Help me....

As discussed before, the future development workflow would be some kind of the forking workflow with PRs targeted against the development branch.
Releasing would mean merging to master, while following semver.

I would also suggest protecting the branches and adding status checks to Pull Request (when CI discussed in #40 is set up). Also enforcing code reviews before merging would be possible.

Somehow, even though CORS headers seem to be set looking through the source code, I'm not seeing them added in the response and I'm getting a CORS error trying to authenticate GitHub users using a Heroku deployment:

Access to fetch at 'https://[APP].herokuapp.com/authenticate/[CLIENT_ID]' from origin 'http://[ORIGIN]' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

When I changed the code to use the cors package, the headers do seem te be added. I'm not sure what that package does differently from what you do here, but might be interesting to investigate?

Node.js recently announced a severe security vulnerability (see here), and they recommend upgrading to a patched version of Node.js immediately. Heroku is instructing people to make sure that their "engines.node.version" value in their package.json files is set to a specific version which is patched (see here).

Gatekeeper's current "engines.node.version" value in its package.json value needs to be changed to specify a specific patched version to avoid this security vulnerability.

See PR: #31

While working on #35 i noticed, the actual request callback implementation in authenticate functions swallows quite a lot of errors returned by gihub.
Eg. when providing a bad code, res.on('end', ..) will be called and just returns an empty error obejct and an null token.

Only way I could get actual errors was when the request timed out.

// .. Relevant code in authenticate function in server.js
  var req = https.request(reqOptions, function(res) {
    res.setEncoding('utf8');
    res.on('data', function (chunk) { body += chunk; });
    res.on('end', function() {
      cb(null, qs.parse(body).access_token);
    });
  });
//..

Requiring the now latest node LTS version (8.9.0) would enable us to use new ES2017 JavaScript Syntax without transpiling.
Rather nice for working with the GitHub API would be using async/await syntax.

This refactor would give gatekeeper a fresh, modern look.

GitHub's security vulnerability scan found a security vulnerability of high severity in the version of the ms dependency used by this project. It suggests upgrading the ms dependency to version ~0.7.1 or greater.

Would be helpful for people that want to run the server on their own host

By default, which port will this app be deployed to on Heroku? Assuming the config.json isn't changed, does heroku do something to change this from 9999?

Just wanted to check to see if this codebase was still maintained? There hasn't been a commit in over a year. It's a pretty simple application so there doesn't need to be, just wanted to check. Maybe there is a better way to authenticate with Github in the browser?

In case anyone runs into this issue, give it a shot. It took me a while to find that as a solution from this comment on StackOverflow

Hello!

What do you think about adding a Deploy to NOW button to the project?

Hi there! I'm not fully understanding how to use Gatekeeper and github.js to provide OAuth authentication. Can anyone provide some thought or resource that can help to achieve it? I searched around and nothing insightful comes up.

Gatekeeper uses express v3 as server framework.
This needs to be updated to v4.

Alternatively, we could consider using an alternative framework.
I would suggest (micro)[https://github.com/zeit/micro]. It's a lightweight framework, which focuses on new ES2017 syntax and works nicely with async/await. Would work nicely for the few route endpoints we need.

Hi,
I am a newbie here. Please simplify OAth steps 1, 2 and 3. Where to put that codes?

Thanks.

Does Gatekeeper allow a site hosted via gh-pages to authenticate with the GitHub API?

Update: Yes, this is possible -- see the last comment.

Original question:

From what I've read (see footnotes), I don't believe this is possible. It appears that when GitHub redirects a user back to your site after successful authentication, the server must dynamically combine GitHub's temporary code with your site's OAuth application client ID and secret to retrieve an OAuth token for the user. Such dynamic behavior is not possible with a static Jekyll site like gh-pages.

If, however, your site is hosted by Heroku or Azure, then Gatekeeper can streamline the web application flow for GitHub authentication.

Footnotes

1. GitHub OAuth: Web Application Flow
2. How I Created a Simple DBMS using GitHub, Jekyll, Prose and Heroku
3. Deploying Jekyll on Heroku

Currently trying to deploy to Heroku, but getting the following:

-----> Node.js app detected
-----> Resolving engine versions
       Using Node.js version: 0.6.20
       Using npm version: 1.3.5
-----> Fetching Node.js binaries
-----> Vendoring node into slug
-----> Installing dependencies with npm
       npm ERR! Error: Cannot find module 'readable-stream'
       npm ERR!     at Function._resolveFilename (module.js:337:11)
       npm ERR!     at Function._load (module.js:279:25)
       npm ERR!     at Module.require (module.js:359:17)
       npm ERR!     at require (module.js:375:17)
       npm ERR!     at Object.<anonymous> (/tmp/node-npm-C24G/node_modules/sha/index.js:3:48)
       npm ERR!     at Module._compile (module.js:446:26)
       npm ERR!     at Object..js (module.js:464:10)
       npm ERR!     at Module.load (module.js:353:31)
       npm ERR!     at Function._load (module.js:311:12)
       npm ERR!     at Module.require (module.js:359:17)
       npm ERR! If you need help, you may report this log at:
       npm ERR!     <http://github.com/isaacs/npm/issues>
       npm ERR! or email it to:
       npm ERR!     <npm-@googlegroups.com>

       npm ERR! System Linux 3.8.11-ec2
       npm ERR! command "/tmp/node-node-byRW/bin/node" "/tmp/node-npm-C24G/cli.js" "install" "--production"
       npm ERR! cwd /tmp/build_3gsw71ildaxmz
       npm ERR! node -v v0.6.20
       npm ERR! npm -v 1.3.5
       npm ERR!
       npm ERR! Additional logging details can be found in:
       npm ERR!     /tmp/build_3gsw71ildaxmz/npm-debug.log
       npm ERR! not ok code undefined
       npm ERR! not ok code 1
 !     Failed to install --production dependencies with npm
0 info it worked if it ends with okundefined1 verbose cli [ '/tmp/node-node-byRW/bin/node',undefined1 verbose cli   '/tmp/node-npm-C24G/cli.js',undefined1 verbose cli   'install',undefined1 verbose cli   '--
production' ]undefined2 info using [email protected] info using [email protected] error Error: Cannot find module 'readable-stream'undefined4 error     at Function._resolveFilename (module.js:337:11)u
ndefined4 error     at Function._load (module.js:279:25)undefined4 error     at Module.require (module.js:359:17)undefined4 error     at require (module.js:375:17)undefined4 error     at Object.<anonymous> (
/tmp/node-npm-C24G/node_modules/sha/index.js:3:48)undefined4 error     at Module._compile (module.js:446:26)undefined4 error     at Object..js (module.js:464:10)undefined4 error     at Module.load (module.js
:353:31)undefined4 error     at Function._load (module.js:311:12)undefined4 error     at Module.require (module.js:359:17)undefined5 error If you need help, you may report this log at:undefined5 error     <h
ttp://github.com/isaacs/npm/issues>undefined5 error or email it to:undefined5 error     <[email protected]>undefined6 error System Linux 3.8.11-ec2undefined7 error command "/tmp/node-node-byRW/bin/node"
"/tmp/node-npm-C24G/cli.js" "install" "--production"undefined8 error cwd /tmp/build_3gsw71ildaxmzundefined9 error node -v v0.6.20undefined10 error npm -v 1.3.5undefined11 verbose exit [ 1, true ]undefined
 !     Push rejected, failed to compile Node.js app

Any ideas?

While the current LICENSE file is pretty clearly open source / free software, it would be good to have explicit license denoted, perhaps :)

DDoS problems: https://blog.liftsecurity.io/2014/08/06/denial-of-service-in-qs