[SRU] Authentication/Authorization broken due to GitHub platform changes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gist (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Confirmed
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* Gist upload (arguable as the core function of the package) is not functioning. Package versions prior to 5.1.0 provide user's access token as a query (URL) parameter, however GitHub changes now require it to be provided as a HTTP(S) header: https:/
* --login is not functioning. Package versions prior to 6.0.0 use an authentication endpoint that has been shut down since November 2020: https:/
[Test Plan]
* rm ~/.gist # stored credentials
* gist-paste --login
Currently (5.0.0-4 focal) fails; output:
Obtaining OAuth2 access_token from github.
GitHub username: username
GitHub password:
RuntimeError: Got Net::HTTPNotFound from gist: {"message":"Not Found",
Expected web-based OAuth; output:
Requesting login parameters...
Please sign in at https:/
and enter code: DEAD-BEEF
Success! https:/
* echo 'class Test {}' > Test.java
* gist-paste -f Test.java -t java -p -d 'Fast method tester' -R Test.java
Currently (5.0.0-4 focal) fails; output:
Error: Got Net::HTTPBadRequest from gist: {"message":"Must specify access token via Authorization header. https:/
Expected randomly-generated Gist link; output:
https:/
[Where problems could occur]
* The SRU requires a rewrite of authentication workflow, with a new OAuth (web-based) approach.
The `--login` invocation previously accepted two inputs over stdin, however it now waits for user to do carry out manual steps based on instructions displayed (opening a page in web browser, and entering a code, as visible in Test Plan above). Although automated scripts should not be invoking `--login`, as the relevant token is stored persistently in user's home, if in any case they do so then it could halt further processing of the script.
[Other Info]
* These changes have been tested as part of package release on prior Ubuntu versions, as well as landing in Debian stable:
- Gist 5.1.0-1 was published in Groovy (20.10) with relevant HTTP(S) header change.
- Gist 6.0.0-1 was published in Hirsute (21.04) with relevant changes for OAuth workflow (--login).
summary: |
- gist-paste command gives e-maled error message + gist-paste command is broken in this version |
summary: |
- gist-paste command is broken in this version + gist-paste command is too old and can no longer authenticate |
description: | updated |
description: | updated |
Changed in gist (Ubuntu): | |
importance: | Undecided → Medium |
Changed in gist (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in gist (Ubuntu Focal): | |
importance: | Undecided → Medium |
Hi, /developer. github. com/changes/ 2020-02- 10-deprecating- auth-through- query-param/ /github. com/defunkt/ gist/commit/ 635b1437a513e9a 13367827ee3f74f bbdaa54aa8
it seems that the individual change to overcome
https:/
would be
https:/
But a bit more wide-reaching the old auth flow in general is also deprecated and going away (depending on your account type) already. /github. com/defunkt/ gist/pull/ 323
Therefore one most likely also wants all of:
https:/
Because without the new Auth flow it seems logins via the tool are failing now as well:
Old:
gist-paste --login
Obtaining OAuth2 access_token from github.
GitHub username: ...
GitHub password:
Traceback (most recent call last):
...
New: /github. com/login/ device /github. com/settings/ connections/ applications/ xxxxxxxxxxxxxxx xxxxx /gist.github. com/xxxxxxxxxxx xxxxxxxxxxxxxx
gist-paste --login
Requesting login parameters...
Please sign in at https:/
and enter code: XXXX-YYYY
Success! https:/
root@i:~# gist-paste -f test -p -d 'test'
(type a gist. <ctrl-c> to cancel, <ctrl-d> when done)
Foo
https:/
And yes those two changes are in v6.0 and later which matches Ubuntu 21.04 and later.
I'm not sure if this is more an SRU [1] or an item for the newly re-forming backports team [2].
I'd wonder if there are use cases left that still work fine in the current version and that might be broke/changed by upgrading - if that is the case then more backports. If not then an SRU might apply indeed.
P.S. I was only triaging this, but not working on it. So anyone else that comes by, feel free to work on it - there will be no collision with me :-)
[1]: https:/ /wiki.ubuntu. com/StableRelea seUpdates /lists. ubuntu. com/archives/ ubuntu- devel/2021- August/ 041587. html
[2]: https:/