contemporary with TunePrint https://www.mattababy.org/~belmonte/Tuneprint/ and at least one other. (Somehow TunePrint managed to get a record label to fill a fileserver with audio files and ship it back across country to use as training data - one of the stranger applications ever for AFS :-)
I was a Mintlify customer 6 months ago and found their onboarding strange. Their Github app asked for permissions to access all my repos and there was no way to get around that. I just wanted to give them access to my docs repo not my app repo. Ended up having to dig through their settings page and revoking that permission after onboarding.
For customer OAuth tokens, I believe you should NEVER store the access token in the database. Only store the refresh token in the database. When you need api access, get a new access token with the refresh token and client secret.
This prevents incidents like the above as the attacker would also need your client secret, which is ideally not in your database.
Too generous permissions are something that often makes me not install software. Zoom apps for example. Slack apps another example. Mostly browser extensions.
This is pretty typical of GitHub, unfortunately. They have terrible scoping and don't give developers the option to even give users that flexibility. It's been like this for over a decade, I don't think GitHub will ever learn.
Wrong. “GitHub Apps” always (?) had fine-grained repo-scoped permissions, it’s the “OAuth apps” that are stuck with coarse-grained permissions. So developers do have the option, it’s even the preferred option.[1]
> In general, GitHub Apps are preferred over OAuth apps.
If half a decade is new, sure. Except I was replying to someone claiming “I don't think GitHub will ever learn”, commenting on an article from a company created in 2021.
With apps, you can certainly grant access to individual repos instead of all repos. Yes I’ve tried.
Here’s how this thread went:
brycelarkin: Mintlify’s GitHub app asked for permissions to access all my repos.
You: Developers don’t have the option to not access all repos.
Me: False. GitHub apps do have fine grained permissions, as in they don’t have to have to access all repos.
You: Even with apps you don’t have fine grained permissions “you’d think you’d get”.
So what are you talking about? What’s the thing I’d think I’d get but not getting and how is that related to “permissions to access all repos” as discussed here?
Exactly. You'd need to implement standard authentication mechanisms, preventing these vectors of attack from existing in the first place.
They are "in the process" and "looking" to do that.
As of now if I am not mistaken the main issue still persists and any other new security vulnerability will possibly give full access to tokens again.
Correct me if I am wrong please but I don't see anything in the comment or Blog post saying otherwise.
> and are also in the process of completely deprecating the admin tokens for a more secure internal authentication procedure. Not to mention, we're also looking to fully deprecate the need of the GitHub OAuth tokens entirely in the coming weeks.
Postgraphile. Postgres + graphql. It really solves all the negative aspects of graphql. Also, incredibly performant. Their v5 release is also a pretty interesting piece of tech.
I played with this a bit years ago when it was still called PostgraphQL. My biggest issue with it was that there didn't seem to be a recommended (or even suggested) version control method for things like functions. Using a standard migration tool to update functions seems like hell, so I gave up on using it.
Looking through the docs, I still see no mention of version control or even migrations at all. Is this something that has been solved?
Its an optional command line utility that you may use with PostGraphile which does things like printing out your configuration in a pretty format and using TypeScript to figure out what options are available to you based on the plugins you are using. It is 100% non-essential because all the options are documented in each of the plugins (and also you can use TypeScript auto-complete in your editor), and you can just console.dir() your configuration. You can read about it here: https://postgraphile.org/postgraphile/next/config#viewing-th...
React/Relay front end. Postgraphile/Fastify backend. Postgres database. Typescript. The most OP type safe stack. One change in your database propagates throughout your stack.
