Bug#955485: composer: Backport GitHub access_token fix before API removal

Wed, 01 Apr 2020 05:39:39 -0700 

Package: composer
Version: 1.8.4-1
Severity: normal
Tags: patch

Dear Maintainer,

Until version 1.10.0 (commit 4b6c25d4b), Composer used the access_token
query parameter to authenticate with GitHub.  GitHub has announced[1]
that access_token is deprecated with brownouts on September 30 and
October 28, followed by removal on November 13, 2020.  They are
currently sending monthly email notifications to access_token users.

Since this is within the LTS timeline for both Stretch and Buster, and
the patch to fix the issue (attached) is quite small, would you consider
applying the fix to versions in those releases?

Thanks,
Kevin


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.5 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

>From 4b6c25d4bc33d49097320e29e6e5705b12e9d6ef Mon Sep 17 00:00:00 2001
Message-Id: 
<4b6c25d4bc33d49097320e29e6e5705b12e9d6ef.1585743806.git.ke...@kevinlocke.name>
From: Jordi Boggiano <[email protected]>
Date: Tue, 14 Jan 2020 15:35:52 +0100
Subject: [PATCH] Use Authorization header instead of deprecated access_token
 query param, fixes #8454

---
 src/Composer/Util/RemoteFilesystem.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Composer/Util/RemoteFilesystem.php 
b/src/Composer/Util/RemoteFilesystem.php
index 6d343f7a1..4885b7530 100644
--- a/src/Composer/Util/RemoteFilesystem.php
+++ b/src/Composer/Util/RemoteFilesystem.php
@@ -278,7 +278,7 @@ protected function get($originUrl, $fileUrl, 
$additionalOptions = array(), $file
         if (isset($options['github-token'])) {
             // only add the access_token if it is actually a github URL (in 
case we were redirected to S3)
             if (preg_match('{^https?://([a-z0-9-]+\.)*github\.com/}', 
$fileUrl)) {
-                $fileUrl .= (false === strpos($fileUrl, '?') ? '?' : '&') . 
'access_token='.$options['github-token'];
+                $options['http']['header'][] = 'Authorization: token 
'.$options['github-token'];
             }
             unset($options['github-token']);
         }
-- 
2.25.1

Reply via email to