Skip to content

Switched GH auth to use app + automatically accept org invite #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BigSpaceships merged 8 commits into from
Oct 22, 2025
Merged

Switched GH auth to use app + automatically accept org invite #25

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5c5faca
add redirect uri env support
BigSpaceships Oct 19, 2025
df0a6ed
Merge branch 'master' of github.com:BigSpaceships/eac
BigSpaceships Oct 19, 2025
1a029e4
github app auth as well as automatically adding people to org
BigSpaceships Oct 20, 2025
ddede40
logging for key error to debug
BigSpaceships Oct 20, 2025
67377ee
remove github from ldap before deleting to fix desync error
BigSpaceships Oct 20, 2025
f9fafbd
fixed env var name
BigSpaceships Oct 20, 2025
89901c4
linting
BigSpaceships Oct 20, 2025
aadfaba
moved when ldap github user role is removed
BigSpaceships Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions config.env.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@
# OpenID Connect SSO config
OIDC_ISSUER = os.environ.get('OIDC_ISSUER',
'https://sso.csh.rit.edu/auth/realms/csh')

OIDC_REDIRECT_URI = os.environ.get('OIDC_REDIRECT_URI',
'https://eac.csh.rit.edu/redirect_uri')
OIDC_CLIENT_CONFIG = {
'client_id': os.environ.get('OIDC_CLIENT_ID', ''),
'client_secret': os.environ.get('OIDC_CLIENT_SECRET', ''),
Expand All @@ -28,9 +31,10 @@
SLACK_SECRET = os.environ.get('SLACK_SECRET', '')

# GitHub secrets
GITHUB_OAUTH_CLIENT_ID = os.environ.get('GITHUB_OAUTH_CLIENT_ID', '')
GITHUB_OAUTH_CLIENT_SECRET = os.environ.get('GITHUB_OAUTH_CLIENT_SECRET', '')
GITHUB_REDIRECT_URI = os.environ.get('GITHUB_REDIRECT_URI',
'https://eac.csh.rit.edu/github/return')
GITHUB_APP_CLIENT_ID = os.environ.get('GITHUB_APP_CLIENT_ID', '')
GITHUB_APP_CLIENT_SECRET = os.environ.get('GITHUB_APP_CLIENT_SECRET', '')
GITHUB_APP_PRIVATE_KEY = os.environ.get('GITHUB_APP_PRIVATE_KEY', '')

# Twitch secrets
Expand Down
42 changes: 32 additions & 10 deletions eac/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,9 @@

_GITHUB_AUTH_URI = 'https://github.com/login/oauth/authorize' \
+ '?client_id=%s' \
+ '&state=%s'
+ '&state=%s' \
+ '&redirect_uri=%s'

_GITHUB_TOKEN_URI = 'https://github.com/login/oauth/access_token' \
+ '?client_id=%s' \
+ '&client_secret=%s' \
Expand Down Expand Up @@ -151,7 +153,8 @@ def _auth_github() -> werkzeug.Response:
# Redirect to github for authorisation
return redirect(
_GITHUB_AUTH_URI %
(APP.config['GITHUB_OAUTH_CLIENT_ID'], APP.config['STATE']))
(APP.config['GITHUB_APP_CLIENT_ID'], APP.config['STATE'],
urllib.parse.quote(APP.config['GITHUB_REDIRECT_URI'], safe='')))


@APP.route('/github/return', methods=['GET'])
Expand All @@ -165,8 +168,8 @@ def _github_landing() -> tuple[str, int]:
# Get token from github
resp = requests.post(
_GITHUB_TOKEN_URI %
(APP.config['GITHUB_OAUTH_CLIENT_ID'],
APP.config['GITHUB_OAUTH_CLIENT_SECRET'], request.args.get('code')),
(APP.config['GITHUB_APP_CLIENT_ID'],
APP.config['GITHUB_APP_CLIENT_SECRET'], request.args.get('code')),
headers={'Accept': 'application/json'},
timeout=APP.config['REQUEST_TIMEOUT'])
try:
Expand All @@ -176,9 +179,14 @@ def _github_landing() -> tuple[str, int]:
raise e

resp_json = resp.json()
token = resp_json['access_token']
try:
user_token = resp_json['access_token']
except KeyError as e:
print('error: ', e, resp_json)
raise e

header = {
'Authorization': 'token ' + token,
'Authorization': 'Bearer ' + user_token,
'Accept': 'application/vnd.github.v3+json'
}

Expand All @@ -200,7 +208,7 @@ def _github_landing() -> tuple[str, int]:
uid = str(session['userinfo'].get('preferred_username', ''))
member = _LDAP.get_member(uid, uid=True)

_link_github(github_username, github_id, member)
_link_github(github_username, github_id, member, user_token)
return render_template('callback.html'), 200


Expand Down Expand Up @@ -255,7 +263,8 @@ def _auth_github_org() -> str:
return org_token


def _link_github(github_username: str, github_id: str, member: Any) -> None:
def _link_github(github_username: str, github_id: str, member: Any,
user_token: str) -> None:
"""
Puts a member's github into LDAP and adds them to the org.
:param github_username: the user's github username
Expand Down Expand Up @@ -286,6 +295,17 @@ def _link_github(github_username: str, github_id: str, member: Any) -> None:
print('response:', resp.json())
raise e

github_user_headers = {
'Accept': 'application/vnd.github.v3+json',
'Authorization': f'Token {user_token}',
}

requests.patch(
'https://api.github.com/user/memberships/orgs/ComputerScienceHouse',
headers=github_user_headers,
json={'state': 'active'},
timeout=APP.config['REQUEST_TIMEOUT'])

member.github = github_username


Expand All @@ -296,6 +316,9 @@ def _revoke_github() -> werkzeug.Response:
uid = str(session['userinfo'].get('preferred_username', ''))
member = _LDAP.get_member(uid, uid=True)

github_id = member.github
member.github = None

org_token = _auth_github_org()

headers = {
Expand All @@ -305,7 +328,7 @@ def _revoke_github() -> werkzeug.Response:

resp = requests.delete(
'https://api.github.com/orgs/ComputerScienceHouse/members/' +
member.github,
github_id,
headers=headers,
timeout=APP.config['REQUEST_TIMEOUT'],
)
Expand All @@ -316,7 +339,6 @@ def _revoke_github() -> werkzeug.Response:
print('response:', resp.json())
raise e

member.github = None
return jsonify(success=True)


Expand Down