Requested permissions are too broad

[fluffynuts]

If Merico aims to provide metrics for software development I can understand wanting read-access to basically all public information on GitHub, but why does it also request write access? I'm not comfortable handing over global write access to my code on GitHub.

Would it be possible to reduce required permissions to read-only?

[lucasgonze]

Thanks for reporting this. It's a bug.

We intended to redo permissions to only ask for "(no scope)" permissions. Somehow the ticket got closed without being implemented. We'll investigate further.

[joncodo]

You are right.

authGithub: (req, res) => {
    // https://docs.github.com/en/free-pro-team@latest/developers/apps/scopes-for-oauth-apps
    passport.authorize('github', {
      scope: ['user:email', 'public_repo'],
      accessType: 'offline',
      approvalPrompt: 'force',
      state: JSON.stringify({
        isLogin: req.query.login
      })
    })(req, res)
  },

We will get this in the pipeline to be fixed.

[hezyin]

@fluffynuts Thanks for reporting this. We re-investigated the Github OAuth scopes (docs) and looked for a scope that only allows read-only access to public repos. Unfortunately, there's no such scope available and it seems this has been a known issue for Github OAuth since 2016. In short, Github OAuth doesn't support read-only access to repos. Here is one of the many similar feature requests to Github that I can find on this topic.

We also looked into how other apps that need access to repos handle this. And this doc by CodeClimate also confirmed our research:

The repo and public_repo scopes grant read and write access to code. While we will never write code to your repository, currently these OAuth scopes are the most narrow that GitHub supports for our use case (there is no repo:read e.g.).

So we're already using the most narrow scope that's required for our use case (public_repo). We'll keep an eye out on Github's progress in supporting this but there's not much that we can fix for now.

We'll consider adding help text to explain better why the public_repo scope is needed here. Thanks again for using Merico Build!

[lucasgonze]

@fluffynuts status: our next step is to make a developer build with "no scope" permissions and see if there are any broken features.

[lucasgonze]

read_only permissions are on the way.