Use the GitHub API for all operations#107
Use the GitHub API for all operations#107tamird wants to merge 2 commits intojspm:masterfrom tamird:private-auth-0.16
Conversation
|
cc @adamburgess |
| var self = this, envMap = { | ||
| ca: 'GIT_SSL_CAINFO', | ||
| cert: 'GIT_SSL_CERT', | ||
| key: 'GIT_SSL_KEY' |
There was a problem hiding this comment.
Can you justify deciding to remove support for this?
There was a problem hiding this comment.
We're no longer execing, so this make no sense now.
On Sep 6, 2016 12:26, "Guy Bedford" notifications@github.com wrote:
In github.js
#107 (comment):this.defaultRequestOptions = {
strictSSL: 'strictSSL' in options ? options.strictSSL : true
};
- if (!this.defaultRequestOptions.strictSSL) {
- this.execOpt.env.GIT_SSL_NO_VERIFY = '1'
- }
- var self = this, envMap = {
- ca: 'GIT_SSL_CAINFO',
- cert: 'GIT_SSL_CERT',
- key: 'GIT_SSL_KEY'
Can you justify deciding to remove support for this?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/jspm/github/pull/107/files/35ce9c9ae8aeafb727b9467ef19c09f398323dbc#r77669492,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABdsPLU1rEx9iaRUFTNoaXjwLsMBCTaoks5qnZQlgaJpZM4J2AfN
.
|
Thanks @tamird. Unfortunately my domain knowledge here isn't up to scratch, and I can't merge this without a comprehensive review, especially after all the issues we had with the last PR. If anyone is able to review this that would be a great help. |
|
I looked through this code and I've run LGTM if this works with Github Enterprise |
|
using only the api means that without a token, after 30 installs of a github repo it'll just die, no fallback or anything |
|
I've added the standard api limit error messages. In my experience, all non-trivial jspm installs without authentication fail - even after this change, trivial projects will continue to succeed and non-trivial ones will continue to fail. The complication of the fallback doesn't, in my opinion, justify the complexity, but I'm willing to be convinced. Reverting the original changes should be a non-starter. Requiring users to provide privileged tokens is a serious security concern. |
|
Thanks @tamird. Authentication tokens in GitHub can be made to only be read only. The only difference seems to me the inclusion of the user name, but at the cost of hurting unauthenticated workflows. Without an alternative the best route forward is still looking like reverting that work. |
|
@guybedford @tamird just to clarify, what work are you talking about reverting? |
|
@guybedford even "Read only" tokens are overly privileged - they allow reading private repos, which should not be required for public-only jspm invocations. |
|
@tamird so are you saying that tokens shouldn't be used and/or opt-in? because just above you said it wasn't worth it? also from my PR, using git+https is as simple as |
|
@adamburgess here's the context: #90 before that PR, tokens always had to be privileged. |
|
@tamird when creating a github token, you can opt to select no scopes at all: https://developer.github.com/v3/oauth/#scopes also, to prevent errors like #109, on setup one could check the response
(you could even go farther as to warn if the token given is way too privileged and has too many scopes that jspm will never use) |
|
Yes, that's true, and yet it didn't work. See #89. |
|
I don't see anything stating that it doesn't work, there |
|
That issue is about unprivileged tokens not working with JSPM (they had to have |
|
but that's what this PR is for: a new implementation ;) |
|
Yes, that's true. Perhaps you could open an alternative PR to flesh out On Sep 22, 2016 08:46, "Adam Burgess" notifications@github.com wrote:
|
4 participants
As discussed in #99.
If this LGTY I'll open the same PR against 0.17.
@guybedford