[FEAT]: A way to prevent auth token being shown to the user, and redirect instead?

Question

[FEAT]: A way to prevent auth token being shown to the user, and redirect instead?

JakeSteam opened this issue 3 months ago · comments

Describe the need

I have a GitHub application using createNodeMiddleware with "Request user authorization (OAuth) during installation" enabled, and http://localhost:3000/api/github/oauth/callback set as the "Callback URL`.

I can authenticate users successfully, but I'm not sure how to do something useful (redirect user) once I have their token! Instead, they are left on the page, and the following dev-targeted text is shown on screen:

Token created successfully
Your token is: ghu_xxxxxx. Copy it now as it cannot be shown again.

My setup is pretty much identical to the createNodeMiddleware docs, yet I see no way to take the user elsewhere on successful token fetch. I've tried hacky redirects in .createServer and listening to app.oauth.on("token" ... and they cause issues due to the middleware outputting headers first.

This seems like a part of every app with OAuth user's flow, so there must be an obvious answer I'm missing!

SDK Version

Octokit.js 3.1.2

API Version

No response

Relevant log output

No response

Code of Conduct

I agree to follow this project's Code of Conduct

github-actions · Answer 1 · Wed May 29 2024 22:37:11 GMT+0800 (China Standard Time)

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

Gregor Martynus · Answer 2 · Thu May 30 2024 00:27:45 GMT+0800 (China Standard Time)

What you see is the standard behavior for the GET /api/github/oauth/callback, it's implemented here:
https://github.com/octokit/oauth-app.js/blob/0b61f0af38a10e8464c336cc1de2d3a4f9f9a7eb/src/middleware/handle-request.ts#L112-L120

What you can do instead is to set a custom route as the OAuth Redirect URL in your GItHub App setting. In that route, you can take the ?code query parameter and exchange it for the user-to-server token using app.oauth.createToken({ code }), see https://github.com/octokit/oauth-app.js/tree/main?tab=readme-ov-file#appcreatetokenoptions

See also https://github.com/octokit/octokit.js?tab=readme-ov-file#oauth

Does that answer your question?

Jake Lee · Answer 3 · Thu May 30 2024 00:54:16 GMT+0800 (China Standard Time)

@gr2m Thanks, it does!