That sounds prudent, i.e. an installation ID can only be associated with one user on my side.
There remains a small window of opportunity during the initial installation flow:
- The user installs our GitHub App to to their account (or organisation).
- <window of opportunity>
- GitHub redirects the user back to our site with
installation_id=... and we associate the user with the installation.
In that intervening moment, the app is installed but our application has not associated the user with that new installation. The window might be a few seconds, but an automated attack could:
- Obtain a recent installation ID. Assuming installation IDs are sequential, a separate process could reinstall an app (any app) to get this.
- Try our app’s Setup URL with a range of the next 10, 100, 1000 installation IDs.
and keep doing that indefinitely until it gets a hit. The window may be small, but it’s there, and an automated attack won’t get bored trying.
I think there is a way to prevent this window from being a threat:
Authorise the user during the GitHub App installation flow, such that there is a secure OAuth exchange.
- Obtain an access token for the user, then check which installations the user has access to and thus validate the
installation_id that we received.
I think this would strongly verify that the user and the installation are linked.
Can you see holes in that approach?