kredits/hubot-kredits
9
0
Fork 0
Code Issues 8 Pull Requests Releases 9 Activity

Add GitHub signup oracle #41

Merged
bumi merged 13 commits from feature/github-signup into master 2019-08-28 13:56:54 +00:00
Conversation 26 Commits 13 Files Changed 4 +13 -7
1 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit c16ea51769 - Show all commits

20
integrations/github.js
View File

@ -214,14 +214,20 @@ module.exports = async function(robot, kredits) {
res.status(400).json({}); res.status(400).json({});
return; return;
} }
const githubResponse = await fetch('https://api.github.com/user', { try {
headers: { const githubResponse = await fetch('https://api.github.com/user', {
'Accept': 'application/vnd.github.v3+json', headers: {
'Authorization': `token ${accessToken}` 'Accept': 'application/vnd.github.v3+json',
} 'Authorization': `token ${accessToken}`
}); }
bumi commented 2019-07-26 09:09:14 +00:00 (Migrated from github.com)
Review
Copy Link

why don't you directly reditect to kredits-web? - using the grant callback option?

why don't you directly reditect to kredits-web? - using the grant callback option?
galfert commented 2019-07-26 09:15:03 +00:00 (Migrated from github.com)
Review
Copy Link

That first redirect should go to the backend server, because that one only contains a (temporary) code that you can then use together with the client secret to exchange it for the actual access token. But you shouldn't put the client secret in a client-side web app.

That first redirect should go to the backend server, because that one only contains a (temporary) code that you can then use together with the client secret to exchange it for the actual access token. But you shouldn't put the client secret in a client-side web app.
galfert commented 2019-07-26 09:17:22 +00:00 (Migrated from github.com)
Review
Copy Link

Also, the endpoint to retrieve the access token using the code and client secret (POST https://github.com/login/oauth/access_token) doesn't have CORS headers, so requests from Web apps wouldn't work.

Also, the endpoint to retrieve the access token using the code and client secret (POST https://github.com/login/oauth/access_token) doesn't have CORS headers, so requests from Web apps wouldn't work.
});
} catch (error) {
robot.logger.error('[hubot-kredits] Fetching user data from GitHub failed:', error);
res.status(500).json({ error });
};
if (githubResponse.status >= 300) { if (githubResponse.status >= 300) {
res.sendStatus(githubResponse.status); res.status(githubResponse.status).json({});
return; return;
} }
const user = await githubResponse.json(); const user = await githubResponse.json();