Making WordPress.org

Opened 5 years ago

Closed 5 years ago

#5061 closed task (blessed) (fixed)

Upgrade GitHub OAuth Usage

Reported by: pento's profile pento Owned by: dd32's profile dd32
Milestone: Priority: normal
Component: Profiles Keywords:
Cc:

Description

I received this email from GitHub with regards to how WordPress.org authenticates GitHub profiles.

Hello there!

On February 26th, 2020 at 00:18 (PST), your application (WordPress.org Profiles) issued a request using the deprecated form of OAuth Application API that includes access tokens in the URL path. GitHub has deprecated these endpoints and replaced them with a version that accepts access tokens in the request body.

The deprecated endpoints will be removed on July 1st, 2020 at 4:00 PM UTC.

Please visit https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint for more information about suggested changes, brownouts, and removal dates.

Thanks,
The GitHub Team

Change History (4)

#1 @dd32
5 years ago

  • Owner set to dd32
  • Status changed from new to accepted

I've been looking into this today, it looks like it affects the DELETE unlinking functionality, so should be a simple change.

#2 @afragen
5 years ago

What GitHub is doing is deprecating the auth token in a query arg.

The solution is to use the same auth token in a Basic Auth header.

The format from the http_request_args filter is

$args['headers']['Authorization'] = token my_current_auth_token';

Assuming the authentication is via wp_remote_get()

#3 @dd32
5 years ago

I think this is fixed as of r15784-dotorg.

  • class-api-endpoint.php

     
    4747
    4848                // Revoke our access to that users token
    4949                $api = $this->make_api_request(
    50                         '/applications/' . CLIENT_ID . '/grants/' . $access_token,
    51                         null,
     50                        '/applications/' . CLIENT_ID . '/grant',
     51                        json_encode( [ 'access_token' => $access_token ] ),
    5252                        [ 'Authorization' => 'BASIC ' . base64_encode( CLIENT_ID . ':' . CLIENT_SECRET ) ],
    5353                        'DELETE'
    5454                );

#4 @dd32
5 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

Looks like that was all that was affected based on the Endpoints affected listing on https://developer.github.com/changes/2020-02-14-deprecating-oauth-app-endpoint/

wporg-profiles-github-link$ grep '/token' . -r
No Results

wporg-profiles-github-link$ grep '/grant' . -r
./class-api-endpoint.php:			'/applications/' . CLIENT_ID . '/grant',
Note: See TracTickets for help on using tickets.