Is there a Github API OAuth scope that allows you to check a user has access to a private repo *without* also granting access to repo code?

huangapple go评论53阅读模式
英文:

Is there a Github API OAuth scope that allows you to check a user has access to a private repo *without* also granting access to repo code?

问题

我正在构建一个OAuth应用程序,用于与Github一起工作。我需要通过令牌范围来确定经过身份验证的用户是否可以访问仓库(公共或私有),以便我可以相应地限制应用程序的访问权限。

我明确不希望从我的应用程序中访问仓库代码,因为a)我希望用户和公司能够放心地将其用于私有仓库,b)应用程序不需要知道,所以我希望保持最低权限。

我正在努力寻找一个OAuth范围,允许应用程序查询用户是否可以访问特定仓库,而不需要要求用户授予应用程序访问其代码的权限。

我找到的最接近的是repo:status。但这需要我猜测一个分支名称,通常是mainmaster,但没有保证。

有更好的方法吗?

英文:

I'm building an OAuth app to work with Github. I need to know, via token scopes, whether an authenticated user has access to a repo (public or private) so that I can restrict access accordingly in my app.

I explicitly do not want access to repo code from my app because a) I want users and companies to have confidence to use it with private repos and b) the app doesn't need to know, so I'd like to keep it least-privilege.

I'm struggling to find an OAuth scope that will allow the app to query whether a user has access to a specific repo without also needing to ask my users to grant the app permission to access their code.

The nearest I've found is repo:status. However that requires me to guess a branch name, which is usually main or master, but there's no guarantee.

Is there a better way?

答案1

得分: 1

你可以尝试使用repo_deployment范围和/repos/{owner}/{repo}/deployments端点来完成此操作。部署列表确认了对存储库的访问权限,不需要事先了解默认分支。

如果可能的话,可以使用GitHub App 而不是 OAuth App,只关注组织存储库的话,你可以请求组织的member和存储库的metadata权限,以便使用/repos/{owner}/{repo}/collaborators/{username}端点来检查用户是否是存储库的合作者。

英文:

You may be able to accomplish this using the repo_deployment scope and the /repos/{owner}/{repo}/deployments endpoint. The list of deployments confirms access to the repository, and it does not require prior knowledge about the default branch.

If it is possible to use a GitHub App instead of an OAuth App — and you are only concerned about organization repositories — then you could request organization member and repository metadata permissions in order to use the /repos/{owner}/{repo}/collaborators/{username} endpoint to check if the user is a collaborator on the repository.

huangapple
  • 本文由 发表于 2023年2月14日 01:53:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/75439551.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定