From 193824a196d2d5d0f74cdfae6549acf2044163a6 Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 1 Apr 2014 22:49:18 -0400 Subject: [PATCH 1/2] Change Github Login to use its own application/client ID so that we don't accidentally lower valid trigger tokens --- config.py | 10 ++++++++++ endpoints/callbacks.py | 8 ++++---- static/js/app.js | 5 +++-- static/js/controllers.js | 2 +- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/config.py b/config.py index 2428a9a1e..daf89b79f 100644 --- a/config.py +++ b/config.py @@ -152,8 +152,12 @@ class MixpanelProdConfig(MixpanelTestConfig): class GitHubTestConfig(object): + GITHUB_LOGIN_CLIENT_ID = '0e8dbe15c4c7630b5480' + GITHUB_LOGIN_CLIENT_SECRET = 'ac50334c10737b7abd004e23875b63a6c527edaa' + GITHUB_CLIENT_ID = 'cfbc4aca88e5c1b40679' GITHUB_CLIENT_SECRET = '7d1cc21e17e10cd8168410e2cd1e4561cb854ff9' + GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token' GITHUB_USER_URL = 'https://api.github.com/user' GITHUB_USER_EMAILS = GITHUB_USER_URL + '/emails' @@ -163,11 +167,17 @@ class GitHubStagingConfig(GitHubTestConfig): GITHUB_CLIENT_ID = '4886304accbc444f0471' GITHUB_CLIENT_SECRET = '27d8a5d99af02dda821eb10883bcb2e785e70a62' + GITHUB_LOGIN_CLIENT_ID = 'b5099ca5bc5ff6311981' + GITHUB_LOGIN_CLIENT_SECRET = '22b87a8133356a461b92d9b609d5e761c8fbedec' + class GitHubProdConfig(GitHubTestConfig): GITHUB_CLIENT_ID = '5a8c08b06c48d89d4d1e' GITHUB_CLIENT_SECRET = 'f89d8bb28ea3bd4e1c68808500d185a816be53b1' + GITHUB_LOGIN_CLIENT_ID = 'a77931a0868729722fb5' + GITHUB_LOGIN_CLIENT_SECRET = '7d977c8184cef68055cce0aed8658d065b3e8596' + class DigitalOceanConfig(object): DO_CLIENT_ID = 'LJ44y2wwYj1MD0BRxS6qHA' diff --git a/endpoints/callbacks.py b/endpoints/callbacks.py index 0f110c098..e1cbf565c 100644 --- a/endpoints/callbacks.py +++ b/endpoints/callbacks.py @@ -20,11 +20,11 @@ client = app.config['HTTPCLIENT'] callback = Blueprint('callback', __name__) -def exchange_github_code_for_token(code): +def exchange_github_code_for_token(code, for_login=True): code = request.args.get('code') payload = { - 'client_id': app.config['GITHUB_CLIENT_ID'], - 'client_secret': app.config['GITHUB_CLIENT_SECRET'], + 'client_id': app.config['GITHUB_LOGIN_CLIENT_ID' if for_login else 'GITHUB_CLIENT_ID'], + 'client_secret': app.config['GITHUB_LOGIN_CLIENT_SECRET' if for_login else 'GITHUB_CLIENT_SECRET'], 'code': code, } headers = { @@ -117,7 +117,7 @@ def github_oauth_attach(): def attach_github_build_trigger(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): - token = exchange_github_code_for_token(request.args.get('code')) + token = exchange_github_code_for_token(request.args.get('code'), for_login=False) repo = model.get_repository(namespace, repository) if not repo: msg = 'Invalid repository: %s/%s' % (namespace, repository) diff --git a/static/js/app.js b/static/js/app.js index 57a012a44..86e6f8f5b 100644 --- a/static/js/app.js +++ b/static/js/app.js @@ -839,6 +839,7 @@ quayApp = angular.module('quay', ['ngRoute', 'chieffancypants.loadingBar', 'angu } else { keyService['stripePublishableKey'] = 'pk_test_uEDHANKm9CHCvVa2DLcipGRh'; keyService['githubClientId'] = 'cfbc4aca88e5c1b40679'; + keyService['githubLoginClientId'] = '0e8dbe15c4c7630b5480'; keyService['githubRedirectUri'] = 'http://localhost:5000/oauth2/github/callback'; } @@ -1527,7 +1528,7 @@ quayApp.directive('signinForm', function () { // Needed to ensure that UI work done by the started callback is finished before the location // changes. $timeout(function() { - var url = 'https://github.com/login/oauth/authorize?client_id=' + encodeURIComponent(KeyService.githubClientId) + + var url = 'https://github.com/login/oauth/authorize?client_id=' + encodeURIComponent(KeyService.githubLoginClientId) + '&scope=user:email' + mixpanelDistinctIdClause; document.location = url; }, 250); @@ -1590,7 +1591,7 @@ quayApp.directive('signupForm', function () { $scope.github_state_clause = '&state=' + mixpanelId; }); - $scope.githubClientId = KeyService.githubClientId; + $scope.githubClientId = KeyService.githubLoginClientId; $scope.awaitingConfirmation = false; $scope.registering = false; diff --git a/static/js/controllers.js b/static/js/controllers.js index c2249773c..4cb27db2c 100644 --- a/static/js/controllers.js +++ b/static/js/controllers.js @@ -1616,7 +1616,7 @@ function UserAdminCtrl($scope, $timeout, $location, ApiService, PlanService, Use $scope.convertStep = 0; $scope.org = {}; $scope.githubRedirectUri = KeyService.githubRedirectUri; - $scope.githubClientId = KeyService.githubClientId; + $scope.githubClientId = KeyService.githubLoginClientId; $scope.authorizedApps = null; $('.form-change').popover(); From 9fb5ef9ecda0925f9866483ab7539031c52bcddc Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 1 Apr 2014 22:59:43 -0400 Subject: [PATCH 2/2] Add missing client side IDs for github login --- config.py | 6 +++--- static/js/app.js | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/config.py b/config.py index daf89b79f..bbe1d1513 100644 --- a/config.py +++ b/config.py @@ -152,12 +152,12 @@ class MixpanelProdConfig(MixpanelTestConfig): class GitHubTestConfig(object): - GITHUB_LOGIN_CLIENT_ID = '0e8dbe15c4c7630b5480' - GITHUB_LOGIN_CLIENT_SECRET = 'ac50334c10737b7abd004e23875b63a6c527edaa' - GITHUB_CLIENT_ID = 'cfbc4aca88e5c1b40679' GITHUB_CLIENT_SECRET = '7d1cc21e17e10cd8168410e2cd1e4561cb854ff9' + GITHUB_LOGIN_CLIENT_ID = '0e8dbe15c4c7630b5480' + GITHUB_LOGIN_CLIENT_SECRET = 'ac50334c10737b7abd004e23875b63a6c527edaa' + GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token' GITHUB_USER_URL = 'https://api.github.com/user' GITHUB_USER_EMAILS = GITHUB_USER_URL + '/emails' diff --git a/static/js/app.js b/static/js/app.js index 86e6f8f5b..0d4c8f6dd 100644 --- a/static/js/app.js +++ b/static/js/app.js @@ -831,10 +831,12 @@ quayApp = angular.module('quay', ['ngRoute', 'chieffancypants.loadingBar', 'angu if ($location.host() === 'quay.io') { keyService['stripePublishableKey'] = 'pk_live_P5wLU0vGdHnZGyKnXlFG4oiu'; keyService['githubClientId'] = '5a8c08b06c48d89d4d1e'; + keyService['githubLoginClientId'] = 'a77931a0868729722fb5'; keyService['githubRedirectUri'] = 'https://quay.io/oauth2/github/callback'; } else if($location.host() === 'staging.quay.io') { keyService['stripePublishableKey'] = 'pk_live_P5wLU0vGdHnZGyKnXlFG4oiu'; keyService['githubClientId'] = '4886304accbc444f0471'; + keyService['githubLoginClientId'] = 'b5099ca5bc5ff6311981'; keyService['githubRedirectUri'] = 'https://staging.quay.io/oauth2/github/callback'; } else { keyService['stripePublishableKey'] = 'pk_test_uEDHANKm9CHCvVa2DLcipGRh';