DEV Community

Cover image for GitHub API OAuth in 2020.
Diego Gallovich
Diego Gallovich

Posted on

GitHub API OAuth in 2020.

Small introduction to working with the GitHub API.

Working with restful APIs is becoming a standard for developers. Just like that, the GitHub API is becoming the go-to API for us developers to get some practice with micro-services.

In order to work with most APIs, including GitHub’s, your application’s request to such API must be authenticated in some way. To do this, GitHub’s API services offer different methods, and those methods depend on what your application’s request is actually asking for.

The most common use case for an API is to retrieve data from the database the API is connected to. With the GitHub API, a good example would be to retrieve a user’s most recent repositories. So… how do we do that?

-
Making an Authenticated request to the GitHub API the 2020 way.

Firstly, in order to make a request, API or not, we need a URL right?

'''
https://api.github.com/
'''

That right there, obviously, is the GitHub's API URL. Now, for our example, we want the repositories URL of the API. which is the same as above followed by a user’s username and the repositories’ slug provided by GitHub. Here’s mine for example:

'''
https://api.github.com/users/dieguiviti/repos/
'''

-
Very well… now, in order for us to make an authenticated request to that URL from our back-end application, we need something to identify our application. That is why before making any requests, we need to register our OAuth app from GitHub's developer settings in our profile. Once you do that, GitHub provides your application with two identification numbers: client_id & client_secret.

Before February of this year, we used these numbers in the query URL to identify ourselves with the service provider. Cyber crime is an ever growing trouble and in order to prevent faked URL authentications or exposing identifiers, GitHub is taking a new approach as to how they authenticate applications that use their API.

-
Query URL Authentication vs. Header Authentication.

Just like we talked about, GitHub’s accustomed way of authorizing apps to use their services came straight from the request’s URL, so something like this:

'''
https://api.github.com/users/dieguiviti/repos?client_id=my_client_id&client_secret=my_secret_id
'''

As you can see, using this authentication method exposes the client app’s id and secret in the URL to any cyber-criminals wishing to hijack the application.

You could probably make that request with axios with the following code:

'''
// Github api url
let url = "https://api.github.com/users/dieguiviti/repos? client_id=my_client_id&client_secret=my_secret_id";
// Axios request
axios.get(url).then("Whatever you are doing with the data");
'''

That is a viable way to get the desired repositories but, not a secure one.

-
How do we assess this?

Simple, send your identification credentials in the header of the request, or as options. Axios for example, takes an object as a second parameter called options. In the options object, you can specify configurations for your request. Something like this:

'''
// Github api url
let url = "https://api.github.com/users/dieguiviti/repos";

// Request's options
const OPTIONS = {

headers: { 'user-agent': 'node.js' },

client_id: CONFIG.get('githubClientID'),

client_secret: CONFIG.get('githubSecret')

};

// AXIOS request

axios.get(url, OPTIONS).then("whatever you are doing with the data");
'''

As you can see, we are specifying our apps client id and client secret by inserting them in an options object that retrieves the data from a configuration file in our app. We then pass those options to axios and make the request.

Yes, just like that we kept our app from exposing Authentication Identifiers to anyone out there.

-
What next?

There is a deprecation notice for the query URL authentication method and it will no longer be available to use later this year.

If you have any apps that communicate with the GitHub API using URL authentication, it is probably best, well actually, it is best for you to quickly adapt all your requests to this more secure way of authenticating your application.

Refer to GitHub API documentation for more information and feel free to reach out to me if you have any other questions.

Thank you for reading on and remember to stay relevant!!!

Top comments (0)