This is an automated email from the ASF dual-hosted git repository.
klesh pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-devlake.git
The following commit(s) were added to refs/heads/main by this push:
new ce67c6c70 feat: check GitHub token permissions when test connection
(#4686)
ce67c6c70 is described below
commit ce67c6c70f963678b8f16b9dd8a9c7ff01089efe
Author: jakezhu9 <[email protected]>
AuthorDate: Mon Mar 20 10:19:31 2023 +0800
feat: check GitHub token permissions when test connection (#4686)
---
backend/plugins/github/api/connection.go | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/backend/plugins/github/api/connection.go
b/backend/plugins/github/api/connection.go
index 91dd3420f..4c7697b98 100644
--- a/backend/plugins/github/api/connection.go
+++ b/backend/plugins/github/api/connection.go
@@ -20,6 +20,7 @@ package api
import (
"context"
"net/http"
+ "strings"
"github.com/apache/incubator-devlake/core/errors"
"github.com/apache/incubator-devlake/core/plugin"
@@ -28,6 +29,8 @@ import (
"github.com/apache/incubator-devlake/server/api/shared"
)
+var RequirePermission = []string{"repo:status", "repo_deployment",
"read:user", "read:org"}
+
type GithubTestConnResponse struct {
shared.ApiBody
Login string `json:"login"`
@@ -69,6 +72,16 @@ func TestConnection(input *plugin.ApiResourceInput)
(*plugin.ApiResourceOutput,
return nil, errors.BadInput.Wrap(err, "invalid token")
}
+ // for github classic token, check permission
+ if strings.HasPrefix(conn.Token, "ghp_") {
+ scopes := res.Header.Get("X-OAuth-Scopes")
+ for _, permission := range RequirePermission {
+ if !strings.Contains(scopes, permission) {
+ return nil, errors.BadInput.New("insufficient
token permission")
+ }
+ }
+ }
+
githubApiResponse := &GithubTestConnResponse{}
githubApiResponse.Success = true
githubApiResponse.Message = "success"
