Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: Verified Account Linking #71

Closed
wants to merge 5 commits into from
Closed

RFC: Verified Account Linking #71

wants to merge 5 commits into from

Conversation

djsauble
Copy link

@djsauble djsauble commented Nov 26, 2019

What / Why

Add a verified way to link your npm account with other accounts that you own.

OSS works because of its web of trust. When anyone can masquerade as anyone else, this web of trust is weakened. We need a way for someone linking their (for example) GitHub or Twitter account to prove ownership of those linked accounts.

See the RFC for more details.

@djsauble djsauble changed the title Verified account linking RFC: Verified account linking Nov 26, 2019
@djsauble djsauble changed the title RFC: Verified account linking RFC: Verified Account Linking Nov 26, 2019
@ljharb
Copy link
Contributor

ljharb commented Nov 26, 2019

Would this be queryable from the outside, ie, if i know someone's github, i could trivially determine which npm account is linked to it?

@djsauble
Copy link
Author

Potentially, yes! The registry will store that information. This RFC outlines a CLI-based interface for interacting with that information, which doesn't preclude making it available via a general-purpose API.

@djsauble djsauble added Agenda will be discussed at the Open RFC call Enhancement new feature or improvement Needs Discussion is pending a discussion Registry semver:minor new backwards-compatible feature semver:major backwards-incompatible breaking changes and removed semver:minor new backwards-compatible feature labels Nov 27, 2019
@mikemimik
Copy link

Would these all just be OAuth handshakes? I know I've come across similar features on other platforms. If I make an account on npm, and want to link my github, I have to log into github to prove I own that account. Which is an OAuth flow right? Can we still accomplish this from the CLI?

@ljharb
Copy link
Contributor

ljharb commented Jan 21, 2020

The CLI can provide you a URL you need to visit to complete the oauth flow, which is a standard way to complete the oauth dance from the CLI.

@ThisIsMissEm
Copy link

@djsauble have you looked into something like how keybase verifies identity? https://keybase.io/docs/proof_integration_guide

@nickserv
Copy link

nickserv commented Jan 2, 2023

This has already been implemented for GitHub and Twitter.

@ljharb
Copy link
Contributor

ljharb commented Jan 2, 2023

@nickmccurdy is this queryable via the api? also, can i link an npm org to a github org?

@nickserv
Copy link

nickserv commented Jan 2, 2023

is this queryable via the api?

Yes: https://registry.npmjs.org/-/npm/v1/user

also, can i link an npm org to a github org?

I can't confirm this since I'm not in any npm orgs, but I'm assuming no, since this is documented as an account level feature.

@ljharb
Copy link
Contributor

ljharb commented Jan 2, 2023

I'm not sure the RFC can be considered completed if it doesn't work for orgs?

@nickserv
Copy link

nickserv commented Jan 3, 2023

You could at least verify based on who published the package though, right?

@ljharb
Copy link
Contributor

ljharb commented Jan 3, 2023

if it was based on publishes it’d be in package.json; this is a momentary setting that isn’t connected to publishes.

@nickserv
Copy link

nickserv commented Jan 4, 2023

I mean you could programatically find the publishing user and then look up their profile via the api.

@ljharb
Copy link
Contributor

ljharb commented Jan 4, 2023

true - altho unfortunately the packument only preserves the npm username at the time of publish, not the github account they were linked with at the time, and i'm not sure the github api can tell me what historical permissions an account had

@djsauble djsauble closed this by deleting the head repository Jul 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement new feature or improvement Needs Discussion is pending a discussion semver:major backwards-incompatible breaking changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants