javascript - Publish a limited GitHub API personal token

According to this link there is a scope for the OAuth tokens that seems to provide access to the GitHub public resources only.

(no scope): Grants read-only access to public information (includes public user profile info, public repository info, and gists)

Is it still insecure to include this personal access token in my JavaScript client side code?

2 Answers

  1. Randolph- Reply

    2019-11-14

    VonC's answer is correct but the main risk of making the token public is missing:

    A malicious person can intentionally overuse your token, which can drain you API quota or may even result in your token or GitHub account blocked.

    Find below the response I got from GitHub support:

    Publishing such a scopeless token is not insecure in the sense that the token can only be used to fetch information that is already publicly available -- it can't be used to fetch any private data and can't be used to modify any data.

    However, you might consider it insecure in the sense that all your tokens share the same GitHub API quota (https://developer.github.com/v3/#rate-limiting). So, if someone takes your token and makes lots of API requests with it -- they will drain your quota and all your other tokens and applications you authorized will need to wait until the quota refreshes.

    Also, if such a person makes lots of API requests in a short period of time with your token -- they might trigger our abuse rate limits (https://developer.github.com/guides/best-practices-for-integrators/#dealing-with-abuse-rate-limits) and if they don't slow down -- it's possible we might need to block that token or the whole account to prevent further problems on our end (and for other users).

  2. Randy- Reply

    2019-11-14

    It is not insecure, you just need to acknowledge the management aspect.

    If your account is deleted for any reason, or if you revoke the token, it will become invalid, meaning any user of your Javascript client code will experience a disruption, until you publish an update.

    That being said, you can see this approach (include a 'no-scope' PAT) used in this repo for instance.

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>