What kind of authorization does giscus have when it can "Act on your behalf"?

[jackdaus]

Hey! Really cool app here, and thanks for making it available for anyone to use.

Question about security. When a GitHub user wants to leave a comment via giscus, they must sign in to GitHub and authorize the giscus app to "Act on your behalf". What set of permissions does this give the giscus app? I understand that giscus obviously needs permission to create/edit/delete discussion items for a particular repository. But the wording "Act on your behalf" is vague and it's not clear what authority I'm giving this app. Does giscus have authority to perform any action that my account could otherwise perform? Thanks for clarifying! Looking forward to using this application in the future.

[laymonage]

Sorry for the alarming notice, unfortunately that's how GitHub phrases it. They definitely should've done a better job at that.

Simply put, it's just so that the app can post comments under your username. For example, if you see the comments in https://github.com/orgs/giscus/discussions/62, most of them have "with giscus" beside the username and timestamp:

For more details, see Authorizing GitHub Apps. See also this comment from a GitHub staff: community/community#37117 (comment)

The actual permissions required by the app will show up when you install it on a repository, which are literally just:

• Metadata access (mandatory)
• Discussions read/write

[jackdaus]

Thanks for the quick response!

Although, I think I am talking about something slightly different. It seems to me there are two ways giscus can act on a user's behalf:

1. As an Installed GitHub App - when as a repository owner I install the giscus app to my repository
2. As an Authorized GitHub App - when a GitHub user, I want to leave a comment on someone else's giscus enabled app.

The screenshots you provide are for case (1). This one I feel safe about; the permissions are clearly enumerated.

However, it is case (2) that gives me pause. When I try to leave a comment on another person's giscus instance, it just says "Act on your behalf" with no further details. I cannot find the specific permissions listed when I go to view my authorized applications:

Is there a way to confirm what permissions are being used in case (2)?

[laymonage]

Not explicitly, no.

Per https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps#to-what-extent-can-a-github-app-know-which-resources-you-can-access--and-act-on-your-behalf, it's limited by:

• The organizations or repositories on which the app is installed
  • giscus can act on the user's behalf on any repository where the app is installed
• The permissions the app has requested
  • The permissions requested on the installed repository, which is read/write access to discussions.
• Your access to GitHub resources
  • The user needs to have access to the repository itself. So, if giscus is installed on a private repo, it still requires the viewer to have access to the repo.

I figure the reason why it's hard for them to make this clear is:

• You only authorize the app once, independently of which repository you'll be interacting with.
• The app's permissions can be changed, though the installation must be reconfigured to grant new permissions. This means that the available permissions may differ across installations (e.g. repo A has granted new permissions, repo B has not).
• User's access can dynamically change.

Thus, ultimately the available permissions are calculated for each action at request time. When reviewing the app's permission as you showed on the screenshot above, they need to show information that's representative of all the installations the app has, and narrow it down to only what's relevant to you. I imagine that's not an easy task, hence they still haven't fixed it. Still, they probably should've rephrased "Act on your behalf".

[jackdaus]

Okay, I see. I now feel safe about case (2). Thanks for reiterating https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps#to-what-extent-can-a-github-app-know-which-resources-you-can-access--and-act-on-your-behalf. I hadn't read it, but this all makes sense in that context.

It is a shame they used the scary verbiage "Act on you behalf". The explainer you linked is very helpful... but I don't think many people (like me) are going to take the time to read it. Hopefully they'll find a solution to that.