Token at the end of links

GitHub Help How to use Git and GitHub
#1

Hi,

I have a new private repo and work from the Github GUI. I have a Github-Pro account. I have no knowledge of Linux.

My private repo is only repo, no funktion team or company is activated.

When a member in my private creates a link using the RAW function, a token is added at the end.

Example: ?token=ABCABCABCABC5ABCABC7ABC

https://raw.githubusercontent.com/USERNAME/Private_Repo/Document.pdf?token=ABCABCABCABC5ABCABC7ABC

Here are a few questions:

  1. If a user gives this link to others, can i block the token?
  2. Can I invalidate the currently valid tokens for all users and new tokens will be generated the next time the link is created?
  3. If I remove a user from the private repo, the link is then invalid?

I have already looked in the documentation, because you can only find information about the personal access tokens but nothing at all about the link token.

I hope someone can help me with that.

#2
  1. If a user gives this link to others, can i block the token?

Not really - this is a browser token, valid for a week and is scoped to the user who created the token. As long as that user has access to the content, their link should work until it expires.

  1. Can I invalidate the currently valid tokens for all users and new tokens will be generated the next time the link is created?

I can’t think of a way to do that directly since these are browser tokens, but the url does contain the repository and filename - in a pinch, changing any of that should kill the link, but obviously could also affect any links you have to that content.

  1. If I remove a user from the private repo, the link is then invalid?

Yes - there might be a couple minutes delay, but once the person who generated the link has been removed, their tokens will also be invalid.

I tested removing someone and adding them back, and removing them does appear to revoke the token permanently, even if they are added back.

1 Like
#3

Thanks for your answer, now I have more information and am a little smarter. :slight_smile:

#4

Hi @Free-IPTV,
just in case you are unaware you can access aw content using HTTP and an Authentication Header containing a users personal access token (which will need to have permissions on the repository content to be retrieved)
https://raw.githubusercontent.com/USERNAME/Private_Repo/Document.pdf

A user sharing this browser token provided in the raw format, seems like a security anti-pattern to me, I can understand your concerns.