Hi everyone !
I’m developing a web app that will connect to Github repos of certain organizations and that will make some analytics on some of their repos.
After realizing that OAuth apps don’t allow for specific repos scope, I decided to switch to Github apps. My comprehension on the web app flow is the following:
- The member of the org decides to install the app on some of the repos and goes to the github app page and requests installation on the selected repos to the owner of the org
- Once it’s validated, he/she can go on the web app and via a github connect, the web app gets an access token of the user.
- From there, two options:
3a) Either the web app uses user-to-server requests and uses the provided access token to make calls to the Github API
3b) Or the web app requests an access token as an app (JWT token) and uses the provided access token to make server-to-server calls to Github API (probably better when it comes to rate limiting).
I have some questions for you guys:
- Am I correct in my understanding of the github app flow?
- Am I correct in thinking that it’s better to request an access token for server-to-server requests instead of user-to-server?
- If that’s the case, is my way of doing it the correct one: once I have the user access token, I check his/her installation id and get an access token corresponding to his/her installation?
- I also have a question regarding the expiration time: By default it’s one hour, but it’s likely that I will need more than this. Plus I will have a job that will reanalyze every day automatically the repos. How can I deal with getting a new token and a longer expiration time?
That’s a lot of questions, thanks if you can answer