Verifying GitHub Organizations for WebX Guild Integration

[mkubdev]

As we move forward with the integration of GitHub organizations into our SaaS, it's imperative that we ensure the authenticity and integrity of these organizations. Here's some details about the workflow:

1. OAuth2 Authentication integration 🛂

• Integrate GitHub's OAuth2 auth mechanism. This way, users can log in using their GitHub credentials. OAuth also provides the necessary permissions to check the organizations a user is part of and their roles.
• Upon successful authentication, GitHub will provide us with access tokens. These tokens are pivotal as they grant us the ability to make authenticated API requests on behalf of the user.

2. Create the organization 🌱

• When a user tries to create an organization on webxguild, prompt them to log in with their GitHub account if they haven't already.
• Fetch the list of organizations the user is a part of on GitHub using the authenticated API call:

GET /user/orgs

• Along with the list of organizations, we also get roles for each organization. Check if the user has the role admin for the organization they are trying to verify on webxguild.

3. Verify Ownership 🔍

• Along with the list of organizations, you also get roles for each organization. Check if the user has the role admin for the organization they are trying to verify :
  

• If the user has the admin role, we can mark the organization as "verified" on our side.

💡 If i'm correct, this is only possible for public organization.

4. Verify GitHub verification Status ✅

• The organization details endpoint also returns an is_verified field. If true, it indicates that the organization has been officially verified by GitHub.

5. Manual verification mechanism ✍

• In scenarios where automated verification is ambiguous, we should have a manual verification protocol in place. This could entail sending a verification email to the organization's official contact (retrievable from the GitHub API).

6. Security protocols 🔐

• Regular checks: we need to consider implementing a periodic checks to ensure the user still has admin privileges on the GitHub organization. This will keep the verification status updated.
• Ensure robust storage of Oauth tokens.
• Enforce HTTPS (of course you'll tell me, hum).
• Add additional security layers: rate limite, brutforce blacklist..

By integrating GitHub's Oauth, we can ensure that only geniune owners of a GitHub organization can create and verify the same orgs on webx-guild.

But that open the discution to new questions:

• Can a webx user create an organization even if he's not the owner on GitHub? (Or the organization doesn't exist yet on GitHub ?)

Ressources:

• https://docs.github.com/en/apps/oauth-apps/building-oauth-apps

Mentions:

• @darkterminal

[darkterminal]

So every member that joins with our webxguild needs to integrate their GitHub account to it. If they don't, we assume they are only event enthusiasts (or whatever you call them), right?

1. OAuth2 Authentication integration 🛂

• Integrate GitHub's OAuth2 auth mechanism. This way, users can log in using their GitHub credentials. OAuth also provides the necessary permissions to check the organizations a user is part of and their roles.
• Upon successful authentication, GitHub will provide us with access tokens. These tokens are pivotal as they grant us the ability to make authenticated API requests on behalf of the user.

This is done on the client side, and the client will throw an "access token" to the backend for verification (which is held for the next process) or stored in LocalStorage for the next process before being thrown to the backend.

And the next step can be done in the backend to carry out safer verification.

[mkubdev]

This is done on the client side, and the client will throw an "access token" to the backend for verification (which is held for the next process) or stored in LocalStorage for the next process before being thrown to the backend.

That sound perfect..

[darkterminal]

3. Verify Ownership 🔍

   Along with the list of organizations, you also get roles for each organization. Check if the user has the role admin for the organization they are trying to verify :
   

💡 If i'm correct, this is only possible for public organization.

This task is also done! 🏁

4. Verify GitHub verification Status ✅

• The organization details endpoint also returns an is_verified field. If true, it indicates that the organization has been officially verified by GitHub.

This task is a Work In Progress and I plan to start mapping out what the database looks like for everything related to the organization, this is directly related to the UI/UX design that is being worked on.

We need communication and information to gather opinions and equalize perceptions between designers, frontend developers, and backend developers in an intent manner.

I have also written and described the development process that will be carried out in the future to make it easier for everyone to understand, please see and give your own opinion on the Engineering Wiki in Notion.