Comment by csomar

Comment by csomar 3 days ago

0 replies

View on Hacker News

It is GitHub mess. See the discussion: https://github.com/orgs/community/discussions/37117

To keep it short, GitHub has oauth App and "GitHub Apps". GitHub Apps are the new model and they can be installed to particular repos instead of having wide access to your account. GitHub recommends you use them. There is one catch however: GitHub did architecture these apps so that they can "act on the user behalf". Even if your app only asks for "an email address", they will still have that "permission" even though it is against nothing.

Thus, the scary popup. I've found the only solution to this is to "complicate" your flow. If you go to https://codeinput.com (my app), and click login with GitHub, you'll be taken to a less scarier popup that only asks for your email (it's an oauth app!). This, however, is at the expense of you having to do the "authenticate + install" dance again after you login! So I had to create an onboarding step, kind of to explain to the user the different steps he has to take.