Authenticate bounty Collaborators using Github OAuth

[dckc]

part of #260

see also #413 discord oauth for verifying members

related work: Google OAuth with xataface: https://github.com/dckc/hh-office/tree/master/Auth/gapp

cc @hyperevo

[BelovedAquila]

@dckc please may I ask what version of OAuth is intended on being used both for the Github open authorization and likewise that of discord on #413?

[dckc]

Whatever version the service providers (github, discord) use. I haven't checked. OAuth 2, I suppose.

[BelovedAquila]

Alright, please is the Github OAuth aimed at authenticating or authorizing, because I use to know OAuth to be a kind of pseudo authenticator not basically for authentication, though an exception if a new version which does that is actually onboard

[hyperevo]

I have implemented a bare bones github oauth. Progress is moving ahead nicely. I forked the original bounty website code here that includes xataface and github oauth: https://github.com/hyperevo/rchain-dbr

[hyperevo]

I updated the repo. Did a lot more testing and updating to improve security. Github Oauth integration is fully functional now. The xataface use menu system has been updated to allow login, logout, and coop member verification via discord oauth.

[dckc]

@hyperevo writes:

Ian thinks we need to get email addresses. -- March 4

I'm pretty sure we don't. @ian-bloom would you please clarify?

Even if we need email addresses, I doubt we should get them from github.

[dckc]

@hyperevo I pulled your code in as https://github.com/dckc/rchain-dbr/commits/gauth-evo; but then as we discussed, I squashed the commits that removed code we didn't write, so please pick up from this branch: https://github.com/dckc/rchain-dbr/commits/gauth .

I did a little work on automated deployment on top: currently 7684885.

[dckc]

@hyperevo the login workflow does a lot of what I expect, but when it gets back to .../github_auth_callback.php?code=... I get could not write to database.

The new code is deployed at http://rchain-dbr.nfshost.com/rchain-dbr-beta/

[dckc]

ah... I see... more columns are expected in the database. Did you update dbr_tables.sql or write any migrations?

And I'm still not comfortable with the approach to preventing SQL injection: hyperevo/rchain-dbr@c29f464#r27940071

[dckc]

We're just about ready to claim victory on this one.

The session_token column is too visible; that seems like the one remaining critical issue.

I re-worked the way the SQL query is built:

• use bind_param to avoid SQL injection dckc/rchain-dbr@57c9728

I don't have the discord part wired up yet, though.

[dckc]

The session_token is hidden now.

dckc/rchain-dbr@6ee5030