Skip to content

security: audit GitHub OAuth scopes — ensure minimum required permissions #228

Description

@basanth-p

Summary

Audit the GitHub OAuth scopes requested during the /connect flow and verify we are requesting only what is strictly necessary.

Current scopes

read:user
user:email
read:org

Review checklist

  • Confirm read:user is sufficient for username, avatar, bio
  • Confirm user:email is needed and email is actually stored
  • Evaluate if read:org is needed at onboarding or can be deferred
  • Check Supabase GitHub provider default scopes — no overlap/duplication
  • Document final scope set with justification in SECURITY.md

Why this matters

Requesting excess OAuth scopes is a security and trust risk. Developers will scrutinise what we ask for.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions