support 2fa

[Carreau]

if 2factor authentication is enabled when login in with password, the response will be 401 with X-GitHub-OTP header set, typically having required; sms as a values (not sure what other authentication methods are available, but at least you get the require ;.)

So typically you need to reissue the request with the received OTP, typically:

if response.status_code == 401 and response.headers.get('X-GitHub-OTP') == 'required; sms':
        print("Your login API resquest a SMS one time password")
        sms_pw = getpass.getpass("SMS password: ")
        response = requests.post('https://api.github.com/authorizations',
                            auth=(user, pw), 
                            data=json.dumps(auth_request),
                            headers={'X-GitHub-OTP':sms_pw})

Not sure where that would be in here, likely around lib/github3/....

Note that I already do receive the OTP by SMS, the codepath just don't handle the 401 and print a :

Authentication error.
Update your credentials in ~/.gitsomeconfig or run:
  gh configure
Authentication error.
Update your credentials in ~/.gitsomeconfig or run:
  gh configure
Authentication error.
Update your credentials in ~/.gitsomeconfig or run:
  gh configure

(Note, the following message is unclear:

Do you want to log in with a password?
 If not, you will be prompted for a personal access token instead [Y/n]:

It reads to me as I will store username and password, while you do not actually store the password, but request a personal token that you store. I would suggest changing the phrasing slightly.

Thanks.

[donnemartin]

Interesting, appreciate the info and code snippet.

I thought this wasn't do-able due to this issue: sigmavirus24/github3.py#387:

"if your using Basic Auth to authenticate and are using 2FA with SMS, the API will send 2FA SMSes with OTPs only for API requests to create tokens. This allows you to use the Authorizations API to create an OAuth token. If you're using other APIs and have 2FA enabled, you should authenticate using an OAuth token (instead of with username+password) because using an OAuth token doesn't require you to enter an OTP when making API calls. "

I might need to dig a little deeper.

Note, the following message is unclear:

I think you're right, I'll try to improve that message.

Thanks!

[Carreau]

I might need to dig a little deeper.

Yeah, the Personal Token API is a bit weird, I had some exchange with support as well:

[snip] I believe we intentionally send 2FA OTPs via SMS only for PUT and POST requests to the authorizations API. Normally, you'd use a PUT or a POST to create a token, and then continue using that token for making API requests. Once you're done with the token -- you can revoke it via the web UI. Again, I agree it would be great if DELETEs sent an SMS as well, so I've opened an internal issue to see if we'd consider changing that. I can't promise an ETA, but we'll followup as soon as there's any news. For now, if you need an SMS for any API call -- you can trigger it with a POST to the authorizations API and then use the OTP for the call you really want to make.

So IIRC, the OTP are short lived, but you can use them for 2 differents requests, and can basically make a "fake" request that will just trigger the OTP to be sent, and then do your real requests.

My guess is that personal access token are a 2cd class citizen, and that's understandable, as they are inherently less secure than OAuth token, and that GitHub docs is mostly targeted as online services hooking up into GitHub (hence the response 2FA sms only for token request which might be true). Though the personal access token are technically login-in as you who are trying to do something on your repo, and not as an entity doing something on your behalf.

Anyway, I might give that a go at some point. I also have a yubi key in some drawer, I shoudl dig that out to see how it can be used for 2fa.

[donnemartin]

Associated PR: #29