Comment by mdaniel

1 year ago

> a huge commitment for people looking to vote on most / all games.

I wanted to say that I went to vote for your game but they seem to only support GitHub login and their GH app does crazypants shit like "Act on your behalf" versus the much more sane "user:email"[1] or whatever which would prove that I'm a person without granting some rando website "sure, bro, take GitHub actions for me"

So, my HN upvote will have to suffice for Internet Points of Appreciation

1: https://docs.github.com/en/apps/oauth-apps/building-oauth-ap...

6 comments

mdaniel

Reply
alcore  1 year ago

The site only requests read access to your email, as the login flow message _actually_ shows.

The "act on your behalf" statement is GitHub's standard message for all GitHub apps, regardless of whether they actually ask to be granted any permissions that would let them perform such actions. There's a "learn more" link right at that statement, that would've explained pretty much exactly this. I find it curious that you bothered to venture into docs and link them, but did not bother to click _that_ one to understand what's actually going on.

It says, i.a.: "The GitHub App can only do things that both you and the app have permission to do.". Since the site only asks for read access to your email address, it cannot actually do anything else. As simple as that.

  • mdaniel  1 year ago

    I hear you, and it's possible you're right, but that's not what the dialog said and the very link that you mentioned has -- as its very first sentence -- "Once you authorize a GitHub App, the app can act on your behalf." and shows an example of commenting as me

    So, I guess just to vote on a cool game I should definitely roll the dice with my github account and trust that some Internet comment is right, or, I guess upvote and be sad for them that they tried to be kewl by creating a GH app instead of oauth2 like a sane person. Naming it "Kilobot" for sure inspires confidence for its fewer than 1k installed users, too

    • alcore  1 year ago

      Once again, curious that you bothered to remember something that is relevant to community inside jokes and take dumps on that, even bothered to remember a number, but did not bother to read up on what you're dumping on.

      FYI #1 It very much is a standard oAuth2 flow. Just GHs 'always on' message is unfortunate, and that's all there is to it. There's been topics like https://github.com/orgs/community/discussions/37117 on this ever since they had been introduced. Which, again, you could've encountered if you put your energy into good faith, instead of focusing that bad faith mojo on a small community. If you really feel like proving how "sane" and above "kewl" you are, go take your dump on GitHub - i.e. the one actually responsible for those misleading messages.

      FYI #2 Your vote would not count anyway, because only community member votes actually get included in scoring. Although as an outsider you'd been welcome to leave feedback.

      2 replies →

animuchan  1 year ago

Thank you! :) And yeah I'll ask the orgs why does the bot request these permissions, might be an oversight.