Skip to content

Commit

Permalink
Diagnose command: Add GitHub OAuth token expiration date information
Browse files Browse the repository at this point in the history 
GitHub's new fine-grained tokens have a cumpulsory expiration date, and their
classic tokens also support an expiration date.

https://github.blog/changelog/2021-07-26-expiration-options-for-personal-access-tokens/

This improves the `composer diagnose` command to display the expiration
date and time if it is provided by the response headers
(via `GitHub-Authentication-Token-Expiration`).
  • Loading branch information
@Ayesh
Ayesh committed Oct 25, 2023
1 parent c827c93 commit 46dd29a
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion src/Composer/Command/DiagnoseCommand.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,10 +327,20 @@ private function checkGithubOauth(string $domain, string $token)
try {
$url = $domain === 'github.com' ? 'https://api.'.$domain.'/' : 'https://'.$domain.'/api/v3/';

$this->httpDownloader->get($url, [
$response = $this->httpDownloader->get($url, [
'retry-auth-failure' => false,
]);

$expiration = $response->getHeader('github-authentication-token-expiration');

if ($expiration === null) {
return '<info>OK</> <comment>does not expire</>';
}

if (\DateTime::createFromFormat('Y-m-d h:i:s O', $expiration) !== false) {

This comment has been minimized.

Sign in to view

Copy link
@ktomk

ktomk Oct 25, 2023
edited

Contributor

In PHP 8 something, createFromFormat throws ValueError if $expriration contains a null byte. From my tests I'm pretty confident to say that strtotime() does suffice (same !== false test), might be some upcoming PHP 8, in any case strtotime() is less error prone: https://3v4l.org/TbVID https://3v4l.org/fH0sA (2xedit: better example)

This comment has been minimized.

Sign in to view

Copy link
@stof

stof Oct 25, 2023

Contributor

Your code snippet calls \DateTime::createFromFormat with a value that does not correspond to the format at all. And so it returns false, which is totally expected.

Btw, you put the modification in the format attribute, not in the value attribute.

This comment has been minimized.

Sign in to view

Copy link
@ktomk

ktomk Oct 25, 2023

Contributor

@stof thanks for quick check, I've also seen this, currently also checking against the PHP docs as this first example does not show the ValueError I actually wanted to test for, I commented too quickly in that regard.

This comment has been minimized.

Sign in to view

Copy link
@ktomk

ktomk Oct 25, 2023

Contributor

@stof: Please find the example updated https://3v4l.org/fH0sA this should show the better comparison (and also it provokes the ValueError I was originally looking for). It now shows this for the input parameter we have.
return '<info>OK</> <comment>expires on '. $expiration .'</>';

This comment has been minimized.

Sign in to view

Copy link
@ktomk

ktomk Oct 25, 2023

Contributor

For the $expiration display, I suggest to use the gmdate() function with the Y-m-d H:i:s P format (P= +/- HHMM) to show the date & time in UTC zone (benefit to easier compare the output across systems, e.g. local/remote and to prevent leaking the timezone information of the user that created the secret - relative time would be even better, but that only as note in the margin)
}

return true;
} catch (\Exception $e) {
if ($e instanceof TransportException && $e->getCode() === 401) {
Expand Down

0 comments on commit 46dd29a

Please sign in to comment.