Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Learn more about Collectives
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Ask Question
This is my first time doing github oauth in Rails so I followed a YouTube tutorial which was out of date (2015). It was clear and my app works, however when I successfully signed up I got the following email:
Hi @NAME,
On July 30th, 2020 at 19:31 (UTC) your application used
an access token (with the User-Agent Faraday v0.17.0) as part of a
query parameter to access an endpoint through the GitHub API:
https://api.github.com/user
Please use the Authorization HTTP header instead as using the
access_token
query parameter is deprecated.
Depending on your API usage, we'll be sending you this email reminder
on a monthly basis.
Visit
https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param
for more information about suggested workarounds and removal dates.
Thanks, The GitHub Team
And indeed my secret info is visible in my url:
https://github.com/login?client_id=123456789&return_to=%2Flogin%2Foauth%2Fauthorize%3Fclient_id%123456789%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4000%252Fauth%252Fgithub%252Fcallback%26response_type%3Dcode%26state%123456789
I need to move these things to the header, but I don't know how to do that. My code is:
Application Config
module AppName
class Application < Rails::Application
# Initialize configuration defaults for originally generated Rails version.
config.load_defaults 6.0
# Settings in config/environments/* take precedence over those specified here.
# Application configuration can go into files in config/initializers
# -- all .rb files in that directory are automatically loaded after loading
# the framework and any gems in your application.
config.middleware.use OmniAuth::Builder do
provider :developer if Rails.env.development?
provider :github, ENV['CLIENTID'], ENV['CLIENTSECRET']
Session Controller
class SessionController < ApplicationController
skip_before_action :verify_authenticity_token, only: [:create]
def create
user = User.find_or_create_by(
provider: auth_hash[:provider],
uid: auth_hash[:uid]
) do |user|
user.name = auth_hash[:info][:name]
session[:user_id] = user.id
redirect_to :about
def destroy
reset_session
redirect_to :root
private
def auth_hash
request.env['omniauth.auth']
Routes:
get 'auth/github', as: 'github_auth'
Gemfile:
# Login
gem 'omniauth'
gem 'omniauth-github', github: 'omniauth/omniauth-github', branch: 'master'
More info from github: https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/
This email tells you that you are making requests like this https://api.github.com/user?access_token=<your_token_value> and this is deprecated. You should put access_token value inside Authorization header and value should be prefixed with token e.g. token <your_token_value>. This lib is using oauth2 gem and I think you should configure options.mode and probably options.header_format because it is set to Bearer %s by default.
provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'],
:auth_token_params => {
:mode => :header,
:header_format => 'token %s',
–
–
–
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
