Merge pull request #38 from pulsar-edit/allow-parent-scopes

lib: Allow parent scopes when checking if each required scope is set
pulsar-edit · Dec 12, 2023 · 06d9dbb · 06d9dbb
2 parents 65eacd2 + 6e800cb
commit 06d9dbb
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 4 deletions.
diff --git a/lib/models/github-login-model.js b/lib/models/github-login-model.js
@@ -8,7 +8,7 @@ let instance = null;
 export default class GithubLoginModel {
   // Be sure that we're requesting at least this many scopes on the token we grant through github.atom.io or we'll
   // give everyone a really frustrating experience ;-)
-  static REQUIRED_SCOPES = ['repo', 'read:org', 'user:email']
+  static REQUIRED_SCOPES = ['public_repo', 'read:org', 'user:email']
 
   static get() {
     if (!instance) {
@@ -70,7 +70,25 @@ export default class GithubLoginModel {
 
           for (const scope of this.constructor.REQUIRED_SCOPES) {
             if (!scopeSet.has(scope)) {
+              if (scope === 'public_repo' && scopeSet.has('repo')) {
+                // 'repo' is a superset of, and implies, 'public_repo'.
+                // Setting just 'public_repo' or full 'repo' both have legitimate use-cases. So we won't warn about it.
+                continue;
+              }
+              if (scope === 'read:org' && scopeSet.has('admin:org')) {
+                // 'admin:org' is a superset of, and implies, 'read:org'.
+                console.warn('Excessive scopes detected on your github token. Please only set the actually needed scopes on your PAT.')
+                console.warn('Excessive scope "admin:org" should be "read:org" instead.')
+                continue;
+              }
+              if (scope === 'user:email' && scopeSet.has('user')) {
+                // 'user' is a superset of, and implies, 'user:email'.
+                console.warn('Excessive scopes detected on your github token. Please only set the actually needed scopes on your PAT.')
+                console.warn('Excessive scope "user" should be "user:email" instead.')
+                continue;
+              }
               // Token doesn't have enough OAuth scopes, need to reauthenticate
+              console.log("GitHub token doesn't have a required scope! Missing: " + scope);
               this.checked.set(fingerprint, INSUFFICIENT);
               return INSUFFICIENT;
             }

diff --git a/lib/views/github-login-view.js b/lib/views/github-login-view.js
@@ -2,11 +2,13 @@ import React from 'react';
 import PropTypes from 'prop-types';
 
 import {autobind} from '../helpers';
+import {INSUFFICIENT} from '../shared/keytar-strategy';
 
 export default class GithubLoginView extends React.Component {
   static propTypes = {
     children: PropTypes.node,
     onLogin: PropTypes.func,
+    tokenStatus: PropTypes.symbol,
   }
 
   static defaultProps = {
@@ -15,6 +17,7 @@ export default class GithubLoginView extends React.Component {
     <span>Log in to GitHub to access PR information and more!</span>
   </div>,
     onLogin: token => {},
+    tokenStatus: Symbol(),
   }
 
   constructor(props, context) {
@@ -57,22 +60,34 @@ export default class GithubLoginView extends React.Component {
     );
   }
 
+  renderTokenHint() {
+    if (this.props.tokenStatus === INSUFFICIENT) {
+      return(<span>Hint: Entered token has insufficient scopes. Update the scopes on your token and try again. See Dev Tools console for details.</span>);
+    }
+  }
+
   renderTokenInput() {
+    const tokenHint = this.renderTokenHint();
+
     return (
       <form className="github-GithubLoginView-Subview" onSubmit={this.handleSubmitToken}>
         <div className="github-GitHub-LargeIcon icon icon-mark-github" />
         <h1>Enter Token</h1>
         <ol>
           <li>
-            Visit <a href="https://github.com/settings/tokens">github.com/settings/tokens</a> to generate a new
-            Personal Access Token (classic).<sup><a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic">[docs]</a></sup>
+            Visit <a href="https://github.com/settings/tokens/new?scopes=repo,workflow,user:email,read:org&description=Pulsar%20github%20package">
+              github.com/settings/tokens
+            </a> to generate a new Personal Access Token (classic).
+            <sup><a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic">[docs]</a></sup>
           </li>
           <li>
             Ensure it has the following permissions: <code>repo</code>, <code>workflow</code>, <code>read:org</code>, and <code>user:email</code>.
           </li>
           <li>Enter the token below:</li>
         </ol>
 
+        {tokenHint}
+
         <input
           type="text"
           className="input-text native-key-bindings"

diff --git a/lib/views/github-tab-view.js b/lib/views/github-tab-view.js
@@ -81,7 +81,7 @@ export default class GitHubTabView extends React.Component {
 
     if (this.props.token === INSUFFICIENT) {
       return (
-        <GithubLoginView onLogin={this.props.handleLogin}>
+        <GithubLoginView onLogin={this.props.handleLogin} tokenStatus={INSUFFICIENT}>
           <p>
             Your token no longer has sufficient authorizations. Please re-authenticate and generate a new one.
           </p>