fix: don't add user(write/read) permission by default

luizfonseca · Jan 2, 2025 · 9abb557 · 9abb557
1 parent 7496505
commit 9abb557
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ providing a more secure way for users to access protected routes.
 |------------------------------|-------------------------------------------------------------------------------|---------|----------|
 | `GITHUB_OAUTH_CLIENT_ID`     | The GitHub OAuth App client id                                                |         | Yes      |
 | `GITHUB_OAUTH_CLIENT_SECRET` | The GitHub OAuth App client secret                                            |         | Yes      |
-| `GITHUB_OAUTH_SCOPES`        | Additional scopes to be added to the Oauth workflow. "user" is always added.   | "user"  | No       |
+| `GITHUB_OAUTH_SCOPES`        | Additional scopes to be added to the Oauth workflow.                          |         | No       |
 | `API_BASE_URL`               | The base URL of the Traefik GitHub OAuth server                               |         | Yes      |
 | `API_SECRET_KEY`             | The api secret key. You can ignore this if you are using the internal network |         | No       |
 | `SERVER_ADDRESS`             | The server address                                                            | `:80`   | No       |
@@ -107,8 +107,8 @@ You can follow the steps in the [GitHub documentation](https://docs.github.com/e
 
 #### OAuth Scopes
 - For `ids` and `logins` you don't need extra scopes.
-- For `teams` you will need to request the `read:org`, `user` or `repo` scopes from the user. See the [documentation](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
-    - You can do so by updating the `GITHUB_OAUTH_SCOPES` environment variable with the desired additional scopes, e.g. `GITHUB_OAUTH_SCOPES="repo,read:org"` via the **Server Configuration**.
+- For `teams` you might need to request the `read:org` scope from the user. See the [documentation](https://docs.github.com/en/rest/teams/teams?apiVersion=2022-11-28#list-teams-for-the-authenticated-user).
+    - You can do so by updating the `GITHUB_OAUTH_SCOPES` environment variable with the desired additional scopes, e.g. `GITHUB_OAUTH_SCOPES="read:org"` via the **Server Configuration**.
 
 
 ## License

diff --git a/internal/app/traefik-github-oauth-server/config.go b/internal/app/traefik-github-oauth-server/config.go
@@ -2,7 +2,6 @@ package traefik_github_oauth_server
 
 import (
 	"os"
-	"slices"
 	"strings"
 
 	"github.com/spf13/cast"
@@ -29,17 +28,12 @@ func envWithDefault(key string, defaultValue string) string {
 }
 
 func githubOauthScopeConfigs() []string {
-	// Default scopes
-	scopes := []string{"user"}
-
-	// Add additional scopes
 	scopesFromEnv := os.Getenv("GITHUB_OAUTH_SCOPES")
 	if scopesFromEnv != "" {
-		sp := strings.Split(scopesFromEnv, ",")
-		scopes = slices.Concat(scopes, sp)
+		return strings.Split(scopesFromEnv, ",")
 	}
 
-	return scopes
+	return []string{}
 }
 
 func NewConfigFromEnv() *Config {