Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for enterprise platform like GitHub Enterprise #6

Closed
kadary opened this issue Jan 27, 2019 · 11 comments
Closed

Add support for enterprise platform like GitHub Enterprise #6

kadary opened this issue Jan 27, 2019 · 11 comments
Labels
enhancement Enhancement request

Comments

@kadary
Copy link

kadary commented Jan 27, 2019

Hello,

I think it will be a great feature if we can use Vssue in our entreprise Platforms.

Look at your GitHub API for example, in it's constructor, the API endpoint is hardcoded (https://github.com/meteorlxy/vssue/blob/master/packages/%40vssue/api-github-v3/src/index.ts#L39).
A oiding this and just using public GitHub API as default one will let's some users as me to integrate Vssue with other GitHub server deployment like it's the case for GitHub Enterprise.

If you want, I can make a pull request for these feature.
@meteorlxy
Copy link
Owner

I'm not familiar with Github enterprise. Does the baseURL option help? Could you provide docs of github enterprise?

@kadary
Copy link
Author

kadary commented Jan 27, 2019
edited
Loading

As state by GitHub Enterprise developper Doc, your concept of baseUrl can help customizing Vssue to use a Gh Enterprise server.
This is the link to the doc: https://developer.github.com/enterprise/2.16/v3/enterprise-admin/.

As a user the baseUrl can help me provide other endpoint to reach a GitHub servers API than the public GitHub servers (https://api.github.com)

@meteorlxy
Copy link
Owner

@kadary Thanks! So the API pattern of Github Public API and Github Enterprise API is compatible, right?

  • Github Public API V3 endpoint: https://api.github.com/v3
  • Github Enterprise API V3 endpoint: http(s)://hostname/api/v3

I'll refined the docs about that.

@meteorlxy
Copy link
Owner

@kadary The Authentication might be different. Could you please help to check if our current api-github-v3 / api-github-v4 works with Github Enterprise?

@meteorlxy
Copy link
Owner

meteorlxy commented Jan 27, 2019
edited
Loading

These may not work well, as they are hard-coded to github.com:

vssue/packages/@vssue/api-github-v3/src/index.ts

Lines 92 to 94 in 0cded76

window.location.href = buildURL('https://github.com/login/oauth/authorize', {
client_id: this.clientId,
redirect_uri: window.location.href,

vssue/packages/@vssue/api-github-v3/src/index.ts

Lines 145 to 147 in 0cded76

const { data } = await this.$http.post(`https://cors-anywhere.herokuapp.com/${'https://github.com/login/oauth/access_token'}`, {
client_id: this.clientId,
client_secret: this.clientSecret,

@kadary
Copy link
Author

kadary commented Jan 27, 2019
edited
Loading

Hello,

Yes api-github-v3 works with github enterprise. I have never use api-github v4. But I can check that during next week.

the authorization endpoint will work by changing just the hostname to endprise server hostname (change https://github.com by https://github.mycompany.com) :

vssue/packages/@vssue/api-github-v3/src/index.ts

Lines 92 to 94 in 0cded76

window.location.href = buildURL('https://github.com/login/oauth/authorize', {
client_id: this.clientId,
redirect_uri: window.location.href,

And the logic can be:

  • if a BaseUrl is provided eg: https://github.mycompany.com :
    • calling REST API is done by appending baseUrl with /api/v3
    • Calling OAuth2 endpoint is done by only using baseUrl as provided
  • else Use public github endpoints

But I Think CORS proxy can be the blocking point since your CORS anywhere instance will not see any github Enterprise endpoint. Hopefully, many enterprises provide inhouse CORS Proxy for these kind of usage. So You can also add an optional config option to provide a custom GITHUB server token endpoint. to use here (eg: https://cors-proxy.company.com?target=https://github.mycompany.com/login/oauth/access_token):

vssue/packages/@vssue/api-github-v3/src/index.ts

Lines 145 to 147 in 0cded76

const { data } = await this.$http.post(`https://cors-anywhere.herokuapp.com/${'https://github.com/login/oauth/access_token'}`, {
client_id: this.clientId,
client_secret: this.clientSecret,

All these make me think about something:

1- Cors anywhere is used for all your API requests to github since GitHub does not support CORS
2- GitHub app secret is present in frontend JS wich is a high security risk.

Why did you not provide a simple node server as an option to handle all these for you.

I know it's more complicated to operate but these can be a killing feature that encourage large Enterprise to use Vssue in place of other tools like gitalk, gitment...
The node server can be just an optional companion app Wich can reuse your API packages in a secure maner. And the advantages will be:

  • No hidden SPOF (ref cors-anywere)
  • more secure for handling Oauth2 secret
  • much robust and portable by respecting providers CORS policies.

And if you think it can help Vssue to get it's next gap, I can help you with the companion backend server.

@meteorlxy
Copy link
Owner

meteorlxy commented Jan 28, 2019
edited
Loading

Thanks so much about your advice.

About CORS

Only the API for getting access token does not support CORS, so we choose a third party cors-anywhere to handle that.

  • The author of Gitment make a cors proxy himself which is not stable.

  • Gitalk use cors-anywhere by default, and have an option proxy to change it.

It's a good idea to add a similar option in Vssue.

About Security

Gitment and Gitalk also hard-code app secret in JS file (see https://github.com/imsun/gitment#is-it-safe-to-make-my-client-secret-public).

But yes, this has potential risks.

I have ever found a possible solution in Netlify: https://www.netlify.com/docs/authentication-providers/.

So we can build a service like Netlify does. Users can config their cliendId and cliendSecret in our service, and our service gets the access token for users. If so, there would not have CORS and Security problems.

If this problem be solved, it will be one of the important advantages of Vssue, and we can release 1.0 version. It will be nice if you have time to help make Vssue better 😉

@kadary
Copy link
Author

kadary commented Jan 28, 2019

For gitment, I have filled an issue in gitment(imsun/gitment#179).

Yes providing a HA service like netlify can be a good option.
I will try to push to you a pull request for these feature with also GH Enterprise support

@meteorlxy
Copy link
Owner

Gitment is not maintained for a long time, I'm afraid that you won't get reply 😅

Maybe we need to create another repo for the individual service

@meteorlxy
Copy link
Owner

Found a repo: https://github.com/prose/gatekeeper

@meteorlxy meteorlxy added the enhancement Enhancement request label Feb 6, 2019
@meteorlxy meteorlxy mentioned this issue Feb 23, 2019
Closed
@Realvincentyuan
Copy link

Hi @meteorlxy,

wonder what is the solution for enterprise Github?

  • Simply updating base_url with enterprise path does not work, as it looks that it fails in the authentication with a 403 error.
  • And the client_secret was explicitly specified in the front end so it is against the company's policy so it is even unable to be pushed to the deployment environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kadary @meteorlxy @Realvincentyuan