0

I am building an Github OAuth app and attempting to see if I can validate the access_token returned by github upon login. The access_token is returned by github by making a POST call to the end point https://github.com/login/oauth/access_token and passing in CLIEND_ID and CLIENT_SECRET provided by github. Using this access_token, we can then access users information. My main question is, is there an end point to validate this token? I wanted this because I am running a node server which accesses files on github. As of now, the node end point is open and anyone can just call the functions in it. In each function, I would like to check if the user has a valid token or not before returning data to them and as such, have some form of security to my node API.

This is how I get the access_token in node

const params = "?client_id="+CLIENT_ID+"&client_secret="+ CLIENT_SECRET +"&code="+req.query.code;
    await fetch("https://github.com/login/oauth/access_token"+params,{
        method: "POST",
        headers:{
            "Accept": "application/json"
        }
    }).then((response) => {        
        return response.json();
    }).then((data)=> {        
        res.json(data);
    });

I have tried the following cURL end points, and it does return data

curl -H 'Authorization: token myGitHubAccessToken' https://api.github.com/user/repos

reference: https://onecompiler.com/questions/3uxsn58yz/how-to-test-a-github-access-token-is-valid

The above command does return data and my client ID, so it is somewhat useful. However, the access_token, which github returns a new one every time the user logs in, it itself seems to never expire. So I can copy a previously returned token to get the same data dump in the above command. I had read whats the lifetime of Github OAuth API access token that the token never expires, but then that itself is an issues. Is there some other method I should use to get around this issue? I dont want my API's to be open. If I could validate the access_token provided by github in every one of the node functions and also have it expire upon logging out, the issue will be resolved.

Also tried some options mentioned here: https://developer.github.com/changes/2/ of which, https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#check-a-token made the most sense to me. But the cURL command given on that page:

curl \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/applications/Iv1.8a61f9b3a7aba766/token \
  -d '{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a"}'

does not seem to work. It returns Bad Data.

Please advise! Thank you!!

madmax821
  • 25
  • 5

1 Answers1

0

Found the answer:

To check access token:

curl -H 'Authorization: token access_token' https://api.github.com/user/repos

The above command returns repos. For me, this is enough because I just want some reply from github using the token thats not a 404

To delete the token:

curl \
  -X DELETE \
  -H "Accept: application/vnd.github.v3+json" \
  -u CLIENT_ID:CLIENT_SECRET \
  https://api.github.com/applications/CLIENT_ID/token \
  -d '{"access_token":"ACCESS_TOKEN"}'

Reference: Remove/revoke GitHub OAuth 'access_token' Apologies for the bad editing. Cant get it to look just right.

Tyler2P
  • 2,324
  • 26
  • 22
  • 31
madmax821
  • 25
  • 5