Hi! I've received the following email from GitHub since yesterday:
Subject: [GitHub API] Deprecation notice for authentication via URL query parameters
Hello there!
On February 3rd, 2020 at 23:51 (UTC) your application (*****) used an access token (with the User-Agent Faraday v0.17.3) as part of a query parameter to access an endpoint through the GitHub API.
https://api.github.com/user
Please use the Authorization HTTP header instead as using the `access_token` query parameter is deprecated.
Depending on your API usage, we'll be sending you this email reminder once every 3 days for each token and User-Agent used in API calls made on your behalf.
Just one URL that was accessed with a token and User-Agent combination will be listed in the email reminder, not all.
Visit https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters for more information.
Thanks,
The GitHub Team
See also https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters
I've identified the problem in the following places:
|
def raw_info |
|
access_token.options[:mode] = :query |
|
@raw_info ||= access_token.get('user').parsed |
|
end |
|
def emails |
|
return [] unless email_access_allowed? |
|
access_token.options[:mode] = :query |
|
@emails ||= access_token.get('user/emails', :headers => { 'Accept' => 'application/vnd.github.v3' }).parsed |
|
end |
When I try the following monkey patch on my environment, it works! 🎉
class OmniAuth::Strategies::GitHub
def raw_info
access_token.options[:mode] = :header
@raw_info ||= access_token.get('user').parsed
end
def emails
return [] unless email_access_allowed?
access_token.options[:mode] = :header
@emails ||= access_token.get('user/emails', :headers => { 'Accept' => 'application/vnd.github.v3' }).parsed
end
endHere is the essential change: ⬇️
-access_token.options[:mode] = :query
+access_token.options[:mode] = :header
I don't want to depend on such a monkey-patch in my codebase, so I'm ready to open a new pull request if you could accept the workaround. 😄
Environment
- Ruby 2.6.5
- omniauth (1.9.0)
- omniauth-oauth2 (1.6.0)
- omniauth-github (1.3.0)
Hi! I've received the following email from GitHub since yesterday:
See also https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters
I've identified the problem in the following places:
omniauth-github/lib/omniauth/strategies/github.rb
Lines 45 to 48 in 2e77639
omniauth-github/lib/omniauth/strategies/github.rb
Lines 60 to 64 in 2e77639
When I try the following monkey patch on my environment, it works! 🎉
Here is the essential change: ⬇️
I don't want to depend on such a monkey-patch in my codebase, so I'm ready to open a new pull request if you could accept the workaround. 😄
Environment