The TW Documentation PR Maker and Authentication Tokens

Scott_Sauyet · January 6, 2023, 12:53pm

I hesitate to do this because I don’t like putting personal access tokens anywhere I’m not certain is absolutely private. I know I could create one and invalidate it after the GH submission, but I worry that I would forget to do so and might have a token floating around. I maintain a popular (10-million+ downloads/week) library on GitHub, and would not be happy to have any credentials leak.

It would be great if GitHub would allow tokens specific to one repo or one group, but last I checked this wasn’t possible.

pmario · January 6, 2023, 12:57pm

The access token is only stored in your browser local store. … But you are right. A more fine grained control would be nice.

Scott_Sauyet · January 6, 2023, 1:19pm

So if I download a copy of the PR wiki, it wouldn’t be included? That’s nice to know and makes me feel a little happier. But it would still be a nagging worry for me.

pmario · January 6, 2023, 4:13pm

Right. … The token is only known to your browser. … BUT … it is stored to the local storage in plain text. So everyone, that has access to your computer can easily read it, if they know where to search for it and you don’t have a lock-screen on your PC.

That’s usually not a problem for most users, but if you share a computer at work it can be an issue.

As common for single file TiddlyWiki’s. By default no info is sent to the server, that hosts the single file wiki. Except you use 3rd party plugins that do sent info to any server.

Scott_Sauyet · January 6, 2023, 5:44pm

That’s not a concern. I have other sensitive material stored on my work PC, usually encrypted somehow, but sometimes in plain text. I was mostly worried that I’d make and share a copy of such a wiki without removing the token. If it’s in local storage, then most of my fears are allayed. And perhaps then I’ll try using the PR maker.

Thank you for your time, and your patience.

saqimtiaz · July 28, 2023, 6:23am

Looks like GitHub has finally introduced fine grained access tokens that can be repo specific: Sign in to GitHub · GitHub

TW_Tones · July 28, 2023, 6:36am

Is there anyway we could have a similar wiki for submitting changes to the core rather than simply tiddlywiki.com?

One example I have would be introducing a new macro to be included, in this case making an existing macro trapped inside an existing tiddler publicly available.
Of course all the normal documentation and approvals would be required.

pmario · July 28, 2023, 2:35pm

I’ll have a closer look at the fine grained access tokes. We only need to find out the minimal requirements to create a PR. Thx for the info