[英]How to allow a public app to connect to the GitHub API v4 without an access token?
I have decided to try to manage releases of one of my apps on GitHub as with GitHub Actions, I can build on Mac, Linux and Windows and automatically push the artifacts to the GitHub Releases page, where anyone can go and download the app from. I have decided to try to manage releases of one of my apps on GitHub as with GitHub Actions, I can build on Mac, Linux and Windows and automatically push the artifacts to the GitHub Releases page, where anyone can go and download the app from.
However, I want my app to self-update, so the app itself also needs to be able to query what's the latest version in the repo releases, and then download the relevant asset for the user's OS... which I thought would be a non-issue... however, there's no way to access the GitHub API v4 without either an OAuth app or a personal access token.但是,我希望我的应用程序能够自我更新,因此应用程序本身还需要能够查询 repo 版本中的最新版本,然后下载用户操作系统的相关资产......我认为这将是一个非问题...但是,如果没有 OAuth 应用程序或个人访问令牌,则无法访问 GitHub API v4。
I don't want an OAuth app because the users of my app are absolutely not expected to be GitHub customers.我不想要 OAuth 应用程序,因为我的应用程序的用户绝对不会是 GitHub 客户。 So I tried to use a personal access token whose only scope was access to public release assets (which, again, is a public resource anyone can go and manually download).因此,我尝试使用个人访问令牌,其唯一的 scope 可以访问公共发布资产(这也是公共资源,任何人都可以 go 并手动下载)。
As this token can't do anything you or anyone else can't do manually, even without a GitHub account, I thought it would be fine to put the token in the source code of my application, but GitHub revokes the token when it detects it on a commit.由于此令牌无法执行您或其他任何人无法手动执行的任何操作,即使没有 GitHub 帐户,我认为将令牌放在我的应用程序的源代码中就可以了,但是 GitHub 在检测到时会撤销令牌它在提交。
Is there a good way to work around this?有没有解决这个问题的好方法? Should I put the token in a GitHub secret and then try to replace a placeholder with it during compilation??我是否应该将令牌放入 GitHub 机密中,然后在编译期间尝试用它替换占位符? I wanted to avoid that as that makes it hard for me to test the app locally, and also, it doesn't solve anything as anyone can easily decompile the app and find the token there (supposing GitHub would not detect the secret is present in the "processed" sources during compilation).我想避免这种情况,因为这让我很难在本地测试应用程序,而且它没有解决任何问题,因为任何人都可以轻松地反编译应用程序并在那里找到令牌(假设 GitHub 不会检测到秘密存在于编译期间的“已处理”源)。
Any suggestions would be appreciated.任何建议,将不胜感激。
however, there's no way to access the GitHub API v4 without either an OAuth app or a personal access token.但是,如果没有 OAuth 应用程序或个人访问令牌,则无法访问 GitHub API v4。
The GitHub API v3 does support unauthenticated calls, but it's limited to 60 requests/hr per IP address: https://developer.github.com/v3/#rate-limiting The GitHub API v3 does support unauthenticated calls, but it's limited to 60 requests/hr per IP address: https://developer.github.com/v3/#rate-limiting
For unauthenticated requests, the rate limit allows for up to 60 requests per hour.对于未经身份验证的请求,速率限制允许每小时最多 60 个请求。 Unauthenticated requests are associated with the originating IP address, and not the user making requests.未经身份验证的请求与原始 IP 地址相关联,而不是与发出请求的用户相关联。
The Latest Release API docs will show you what information is returned, but I suspect you'll need to make a secondary call to List Assets for a release to know the files the client needs to download. 最新版本 API文档将向您显示返回的信息,但我怀疑您需要对List Assets 进行二次调用以了解客户端需要下载的文件。
If that's not satisfactory (eg you know you'll have many clients try to update using the same IP address), and you'd like to ensure they aren't being rate-limited, read on for a different approach.如果这不令人满意(例如,您知道您将有许多客户端尝试使用相同的 IP 地址进行更新),并且您想确保它们不受速率限制,请继续阅读以了解不同的方法。
Is there a good way to work around this?有没有解决这个问题的好方法?
How I would tackle this is by deploying a small web service (eg Heroku dyno) that your app can will call without needing authentication, which then performs the actual lookup for the latest version (using a PAT that gets embedded as an environment variable) and returns a simple JSON response that the client will understand.我将如何解决这个问题是通过部署一个小型 web 服务(例如 Heroku 测功机),您的应用无需身份验证即可调用该服务,然后执行最新版本的实际查找(使用作为环境变量嵌入的 PAT)和返回客户端将理解的简单 JSON 响应。
Benefits:好处:
/latest/beta
or /latest/stable
to indicate it's looking for a specific channel例如调用/latest/beta
或/latest/stable
来表明它正在寻找一个特定的频道Downsides:缺点:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.