-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support 2fa #12
Comments
Interesting, appreciate the info and code snippet. I thought this wasn't do-able due to this issue: sigmavirus24/github3.py#387:
I might need to dig a little deeper.
I think you're right, I'll try to improve that message. Thanks! |
Yeah, the Personal Token API is a bit weird, I had some exchange with support as well:
So IIRC, the OTP are short lived, but you can use them for 2 differents requests, and can basically make a "fake" request that will just trigger the OTP to be sent, and then do your real requests. My guess is that personal access token are a 2cd class citizen, and that's understandable, as they are inherently less secure than OAuth token, and that GitHub docs is mostly targeted as online services hooking up into GitHub (hence the response 2FA sms only for token request which might be true). Though the personal access token are technically login-in as you who are trying to do something on your repo, and not as an entity doing something on your behalf. Anyway, I might give that a go at some point. I also have a yubi key in some drawer, I shoudl dig that out to see how it can be used for 2fa. |
Associated PR: #29 |
Fix #12: Improve support for 2FA users
if 2factor authentication is enabled when login in with password, the response will be 401 with
X-GitHub-OTP
header set, typically havingrequired; sms
as a values (not sure what other authentication methods are available, but at least you get therequire ;
.)So typically you need to reissue the request with the received OTP, typically:
Not sure where that would be in here, likely around
lib/github3/...
.Note that I already do receive the OTP by SMS, the codepath just don't handle the 401 and print a :
(Note, the following message is unclear:
It reads to me as
I will store username and password
, while you do not actually store the password, but request a personal token that you store. I would suggest changing the phrasing slightly.Thanks.
The text was updated successfully, but these errors were encountered: