Minimize Github API access #220
Comments
|
The "private project boards" thing (and wording) is news to me. I /think/ the reasoning is that I needed to be able to query if an organisation you're a part of is sponsoring me to grant you the early access bonus? I can probably make this opt-in though (at the very least) so it only asks for it, if it finds you don't support me directly. (Or maybe organisations supporting me shouldn't give access to all their members anyway..) I'll definitely take a look at this (no ETA guarantees, but I agree this looks fishy) |
|
I've deployed a version of the codebase that only asks for I've also deleted all records from the ...which means I don't have "too-powerful" credentials in my DB anymore and can't accidentally use them.
To reset this:
(This doesn't delete your user settings on fasterthanli.me.) After that, Log out and Log into fasterthanli.me again. Hopefully everything still works! New flow: 
Thanks for catching this! |
|
Okay, so the mystery is now fully solved: the scope was useful, but only for me! I run a different set of GraphQL queries to generate the list at https://fasterthanli.me/patron-list - and those require the I simply added code that asks me (and only me) to re-log in with broader scopes when I log in with GitHub. |
When trying to connect fasterthanli.me with my Github, I saw that it would give you read access to organization data.
I might be naive there, but I've hoped that you can verify me without this kind of data.
I assume many companies will not be fond of their private project boards leaking that way.
The text was updated successfully, but these errors were encountered: