#9214 [GitHub API] Deprecation notice for authentication via URL query parameters
Closed: Will Not/Can Not fix 12 days ago by smooge. Opened 4 months ago by smooge.

Describe what you would like us to do:

mailman needs more work:

Hi @FedoraInfra,

On August 8th, 2020 at 01:51 (UTC) your application (Fedora Mailman) used an access token (with the User-Agent python-requests/2.9.1) as part of a query parameter to access an endpoint through the GitHub API:


Please use the Authorization HTTP header instead as using the access_token query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder on a monthly basis.

Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates.

The GitHub Team

When do you need this to be done by? (YYYY/MM/DD)

yeah, we had the issue too, that requires a new version of django socialauth, and i think it wasn't released last time I looked. @duck , any news ?

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: groomed, lists, medium-gain, medium-trouble

4 months ago

We have close the previous ticket about that https://pagure.io/fedora-infrastructure/issue/8629 and referred to https://pagure.io/fedora-infrastructure/issue/8455

Don't know if we want to do the same again :P

The fix was done: https://github.com/pennersr/django-allauth/pull/2458
It is available in 0.42.

Now 0.41 drops Python 2 support so that's not gonna work with the current packages. Either we backport this patch in the allauth package we currently use (0.34, but we may probably be able to bump up to ~0.40) or even better we are fast enough to package all the things for EL8 and migrate all instances before the deadline (that's #8455).

I think that given the patch seems quite small, and this part didn't changed a lot since introduction, a backport seems faster. Upgrading everything on EL8 with a deadline seems like a source of tress that could be be avoided, IMHO.

@misc I did not look at the patch yet, thanks. Agreed.

@smooge could you confirm the version of python-django-allauth you're using? We still use a rebuild of 0.34.0-1 that was prepared by abompard. This is to be sure we target the necessary versions for the patch.

We are looking to move our stack to Fedora 33 for mailman3 and remove various forms of secondary auth. I think we can close this.

Metadata Update from @smooge:
- Issue close_status updated to: Will Not/Can Not fix
- Issue status updated to: Closed (was: Open)

12 days ago

Login to comment on this ticket.