I’m working on a Github App that’ll use Github as authentication in it’s own frontend (basically, if the user has access to the repo on Github, she’ll have it in my app too), but haven’t been able to quite figure out the user OAuth part.
I think I get the whole process of installing the app. I plan on not using the “Request user authorization (OAuth) during installation” feature as there’s no need at installation time.
So, I figure when an anonymous user hits my app, it’ll redirect to https://github.com/login/oauth/authorize and do the dance to get an access token, which I can then use to check access.
And then what? I gather that the App OAuth tokens have a shorter lifetime than the old OAuth tokens, so how do I handle renewal? Some point at using it to get an access token to an installation, but do I want that? Basically I just want to know if a user has read or write access to a given repo, and check periodically (depending on how long the session lives) if that’s changed.
I belive that just redirecting the user to https://github.com/login/oauth/authorize whenever the token becomes invalid is a possible solution, but it seems rather heavy.
Alternatively, I could make a note of the users access to the repo and let that live for 24 hours, and simply reauth for each repository visited, but seems like a bit lazy.