I was a Mintlify customer 6 months ago and found their onboarding strange. Their Github app asked for permissions to access all my repos and there was no way to get around that. I just wanted to give them access to my docs repo not my app repo. Ended up having to dig through their settings page and revoking that permission after onboarding.
For customer OAuth tokens, I believe you should NEVER store the access token in the database. Only store the refresh token in the database. When you need api access, get a new access token with the refresh token and client secret.
This prevents incidents like the above as the attacker would also need your client secret, which is ideally not in your database.
Too generous permissions are something that often makes me not install software. Zoom apps for example. Slack apps another example. Mostly browser extensions.
This is pretty typical of GitHub, unfortunately. They have terrible scoping and don't give developers the option to even give users that flexibility. It's been like this for over a decade, I don't think GitHub will ever learn.
Wrong. “GitHub Apps” always (?) had fine-grained repo-scoped permissions, it’s the “OAuth apps” that are stuck with coarse-grained permissions. So developers do have the option, it’s even the preferred option.[1]
> In general, GitHub Apps are preferred over OAuth apps.
If half a decade is new, sure. Except I was replying to someone claiming “I don't think GitHub will ever learn”, commenting on an article from a company created in 2021.
With apps, you can certainly grant access to individual repos instead of all repos. Yes I’ve tried.
Here’s how this thread went:
brycelarkin: Mintlify’s GitHub app asked for permissions to access all my repos.
You: Developers don’t have the option to not access all repos.
Me: False. GitHub apps do have fine grained permissions, as in they don’t have to have to access all repos.
You: Even with apps you don’t have fine grained permissions “you’d think you’d get”.
So what are you talking about? What’s the thing I’d think I’d get but not getting and how is that related to “permissions to access all repos” as discussed here?
Exactly. You'd need to implement standard authentication mechanisms, preventing these vectors of attack from existing in the first place.
They are "in the process" and "looking" to do that.
As of now if I am not mistaken the main issue still persists and any other new security vulnerability will possibly give full access to tokens again.
Correct me if I am wrong please but I don't see anything in the comment or Blog post saying otherwise.
> and are also in the process of completely deprecating the admin tokens for a more secure internal authentication procedure. Not to mention, we're also looking to fully deprecate the need of the GitHub OAuth tokens entirely in the coming weeks.
For customer OAuth tokens, I believe you should NEVER store the access token in the database. Only store the refresh token in the database. When you need api access, get a new access token with the refresh token and client secret.
This prevents incidents like the above as the attacker would also need your client secret, which is ideally not in your database.