1

I have a website that displays records from a database. I have set up a feedback form so if someone spots a mistake in a record, they can report it so it can be set right. I use a Github Personal Access Token (PAT) to create a Github issue when the form is submitted, and then the appropriate team member is notified. It all works fine, but my questions:

  1. This is potentially opening up the possibility of spam issues being created. How can I catch that? I have also set up a question-answer barrier before the user can submit the form (to determine it is not a robot trying to create fake issues) but, of course, this is not fool-proof.

  2. The PATs seem to expire after a certain period of time. Is there a way to generate a PAT that lasts a long time?

  3. Any other gotchas I should be aware of before I unroll this to public users?

punkish
  • 13,598
  • 26
  • 66
  • 101
  • To clarify: you placed your PAT on a web form? – alexmac Aug 19 '21 at 06:49
  • well, there is really no other way (this is a completely client-side app). I created an empty repo just for the issues tracking and am using the PAT for that repo. So there is nothing sensitive in the repo itself other than the possibility of getting a lot of crap issues from a bot (or a malevolent human being) – punkish Aug 19 '21 at 06:51
  • You can create a simple web server with single endpoint, that accepts some data and creates github issues using your PAT. It's a really bad idea to publish your PAT (I hope you created it with limited permissions?). – alexmac Aug 19 '21 at 06:55
  • @alexmac it is a client-side app – punkish Aug 19 '21 at 09:25

1 Answers1

1

The PATs seem to expire after a certain period of time. Is there a way to generate a PAT that lasts a long time?

As documented, a PAT only expires if you selected an expiration period at its creation:

https://docs.github.com/assets/images/help/settings/token_expiration.png

For creating issues, make sure you have selected only the scope public_repo or repo permission on your Personal Access Token.

  • public_repo will only grant the ability to manipulate public repositories.
  • repo will grant the ability to manipulate all repositories you have access to.

Note sure about issue spam, except for reporting those when you see them.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Ok thanks, I missed the expiration time setting. Yes, the PAT is only for public repos, and this specific repo is empty. It is only for tracking these issues. I think I will go ahead and implement it and see if all hell breaks loose – punkish Aug 19 '21 at 08:58