Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Having integrated with Github before - for providing OAuth and pulling private repositories - I will say that they've never really had fine-grained permissions. The scopes are here[1] and from what I can tell, I can't ask for private repo access to a _specific_ repository for a given OAuth token. Maybe this is different for a Github App, but just quickly browsing through their docs, I don't think this is the case either.

    - [1] https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps


Any idea how Netlify does it? There I can only select from the repos I have granted access to, and if I want to add a new one I click "Configure the Netlify app on GitHub", which opens a window where I can choose which repos to allow access to. Always wondered how that works.


They made a GitHub app, which is different from OAuth.


They actually give you fine-grained permissions, down to the single repo access level – but only if you build a Github app. OAuth app don't offer that unfortunately and I assume are considered a bit "legacy".


The whole GitHub permission/scope areas has been a big issue for a lot of 3rd party developers for a very long time now: https://github.com/dear-github/dear-github/issues/113


I wonder if these security incidents will encourage them to improve it?


Apps let a user specify the specific repos that one can have access to. That’s what we use for our company, tasker.sh.

Furthermore, we basically only ask for the one “mandatory” permission - there are scores of perms you could request when authorizing an app - and that’s just read only access to the code.


yes, the OAuth scopes are way way too coarse. Even to the point of not being able to separate readonly vs R/W.

GitHub apps are indeed noticeably better. But that doesn’t always help




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: