Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorising single user to push commits using access token #270

Open
r00tdaemon opened this issue Feb 17, 2019 · 2 comments
Open

Authorising single user to push commits using access token #270

r00tdaemon opened this issue Feb 17, 2019 · 2 comments
Labels
feature request needs docs Signifies that the issue requests a documentation update.

Comments

@r00tdaemon
Copy link

r00tdaemon commented Feb 17, 2019
edited
Loading

I'm not sure if this is already possible or not.
The current entries endpoint might be susceptible to abuse as anyone can make the request to https://api.staticman.net/v2/entry/{GITHUB USERNAME}/{GITHUB REPOSITORY}/{BRANCH}/

Is there a way to authorise the request, maybe with an access token? So that only the requests with valid tokens make a PR?

Something like, https://api.staticman.net/v2/entry/{GITHUB USERNAME}/{GITHUB REPOSITORY}/{BRANCH}/ with token=xxyyzz as POST data

This way we can safely get rid of the moderation as well
@r00tdaemon
Copy link
Author

An encrypted Token field can be added to config and user can make the request with the original token.
The token from request can then be compared with the decrypted token from config to authorise the request.

@r00tdaemon r00tdaemon changed the title Authorising single user to push commits using Github access token Authorising single user to push commits using access token Feb 17, 2019
@VincentTam
Copy link
Contributor

The current entries endpoint might be susceptible to abuse as anyone can make the request to https://api.staticman.net/v2/entry/{GITHUB USERNAME}/{GITHUB REPOSITORY}/{BRANCH}/.

For real examples of this, one may refer to #298.

Is there a way to authorise the request, maybe with an access token? So that only the requests with valid tokens make a PR?

This is already implemented in #219, and further enhanced in #231. You may test @staticmanlab, a public instance for GitLab, which has implemented the later unmerged PR.

N.B. My instance doens't have Akismet and Mailgun since the main goal for setting it up is to test its GitLab support, so I choose not to expose myself to their pricing plans.

@alexwaibel alexwaibel added feature request needs docs Signifies that the issue requests a documentation update. labels Nov 8, 2019
caiopavanelli pushed a commit to caiopavanelli/staticman that referenced this issue Aug 17, 2020
@halogenica
Merge pull request eduardoboucas#270 from VincentTam/fix-ta-html5
6f54c9a 
Fixed error from HTML5 validator and used input type URL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request needs docs Signifies that the issue requests a documentation update.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@VincentTam @alexwaibel @r00tdaemon