Is it safe for users of my API to 'Sign In With GitHub' using passport-github?
I don't believe that the GitHub OAuth2 implementation supports your use case to authenticate users, so from both a security and maintainability perspective I don't think it is a great idea. From the first paragraph of the documentation:
OAuth2 is a protocol that lets external applications request authorization to private details in a user's GitHub account without getting their password.
My assumption in the discussion below is that the authorization code and access token in the GitHub OAuth2 implementation are opaque to your client.
In the GitHub scenario, we have the following OAuth roles:
- Resource Server - GitHub server that provides profile information about users
- Client - Your HelloAPI
- Authorization Server - GitHub auth server
- Resource Owner - Your application end user
The passport-github
implementation authenticates a user by using the access token gained by your client as part of the OAuth2 flow and then requesting the user profile information from the GitHub resource server at https://api.github.com/user
.
For example:
- Joe Bloggs logs in to GitHub via the redirect from your client.
- The access token that your client receives is opaque containing no information about the identity of Joe.
- You make a request to the GitHub resource server from your client to retrieve the profile associated with the access token
- Joe's profile is returned by the resource server and you assume that Joe is the entity that has presented the access token to your client.
The issue for me is that there is no direct 'evidence' as part of this process to ensure that the identity that authenticated to GitHub as part of the OAuth flow is the same identity that is returned in the profile information used to make your authentication decision in the app. For me this is a fail from an information integrity perspective, and so I would not consider this 'secure'.
Given that the passport-github
implementation doesn't appear to be a supported authentication scenario by GitHub it also creates risk in the event that GitHub changes their implementation in any way. It is best to use supported protocols and use APIs for their intended purposes to ensure security and maintainability.