Group Group Group Group Group Group Group Group Group

GitHub authentication logic issues

This is probably obvious to everyone, but I just wanted to point out that the way GitHub authentication as implemented in chapter 23 has a couple of issues because it matches GitHub users to local users by username.

First, if someone signed up with a regular account (not using GitHub authentication) and picked username johndoe and set a password. An attacker could than create a GitHub account using that username and log into the original users account on your vapor service.

Second, if someone signed up using GitHub authentication with a particular username they’d get a new account created using their GitHub username. If they subsequently change their GitHub username and try to login again into your vapor service, they’d be given a totally new and blank account.

Of course TIL is a low stakes service, but still I wanted to point that out since I didn’t see any warnings regarding that in the text.

Welcome to the forum community @ahmadh and thank you for pointing this out! Hopefully others will find this information useful as they go through the book.

Best,
Gina