Ask for read:org OAuth scope, warn for outdated tokens#786
Conversation
This is to facilitate: - requesting teams for review on `pr create` - allowing `repo create ORG/REPO --team TEAM`
How this works for people with existing OAuth tokens:
$ gh issue list -L1
Notice: additional authorization required
Press Enter to open github.com in your browser...
[auth flow in the browser...]
Authentication complete. Press Enter to continue...
Showing 1 of 132 issues in cli/cli
...
Users of Personal Access Tokens get a different notice:
Warning: gh now requires the `read:org` OAuth scope.
Visit https://github.com/settings/tokens and edit your token to enable `read:org`
or generate a new token and paste it via `gh config set -h github.com oauth_token MYTOKEN`
|
This is now ready for review! How this looks for people with existing OAuth tokens: Users of Personal Access Tokens get a different notice: How to test this:
|
probablycorey
left a comment
probablycorey
left a comment
There was a problem hiding this comment.
I tried it out locally and it worked well. The code was a bit tricky to follow and I left some notes inline.
| opts = append(opts, | ||
| api.AddHeader("Authorization", fmt.Sprintf("token %s", token)), | ||
| api.CheckScopes("read:org", checkScopesFunc), | ||
| api.AddHeaderFunc("Authorization", getAuthValue), |
There was a problem hiding this comment.
It was a little tricky to follow the how the token var was being passed around here. The best way I could think of to make it simpler would be a scope check in the root command instead of using RoundTripper. But that has its own problems because you'd need to set some state once you've verified that the app has the correct permissions.
There was a problem hiding this comment.
It is complicated but I feel like it matches what we already have going on in the oauth code so it doesn't feel too out of place.
There was a problem hiding this comment.
Definitely agree that it's complex how the token var is passed around this area of the code. This was a result of me jumping through hoops after realizing that, even though we write the new token to the config file, we didn't have any mechanism for updating the token in-memory during the lifetime of the CLI process. I haphazardly made such a mechanism here using closures, but it's not ideal and I will make a note to clean it up.
Co-Authored-By: Corey Johnson <probablycorey@gmail.com>
3 participants
New tokens are requested with the
read:orgOAuth scope and old tokens are detected by having missingread:orgscope and the user is asked to re-authenticate.This is to facilitate:
pr createSupport setting related fields for PRs and issues when creating #340repo create ORG/REPO --team TEAMgh repo create --team throws graphql error #639Fixes #782
TODO: