TIL how to implement GitHub OAuth for an otherwise completely static website (HTML+JavaScript on GitHub Pages) using Cloudflare Workers: https://til.simonwillison.net/cloudflare/workers-github-oauth
-
TIL how to implement GitHub OAuth for an otherwise completely static website (HTML+JavaScript on GitHub Pages) using Cloudflare Workers: https://til.simonwillison.net/cloudflare/workers-github-oauth
-
@simon That is a very cool posting, thanks for sharing this!
I have looked into OAuth 2.0 and OIDC recently, I wonder what your toughts are about adding CSRF protection? There seems to be no checking of the state parameter in the workers code.
-
@rombert you're right: checking the state parameter is importent to avoid situations where an attacker can force someone into inadvertently writing gists to an account the attacker controls
I'll fix that in the morning and update my TIL
-
@rombert just fixed that and updated my TIL - thanks for calling it out! https://til.simonwillison.net/cloudflare/workers-github-oauth#user-content-preventing-csrf-attacks
-
Updated the code and the TIL to mitigate a potential CSRF vulnerability in the OAuth flow - details here https://til.simonwillison.net/cloudflare/workers-github-oauth#user-content-preventing-csrf-attacks
-
It seems to me this is a good example of something people need to understand but many aren't. I appreciate the transparency on process here!
An AI can give you code.
An AI with a human with basic programming skills can give you working code.
But it takes a human - or humans - with good skills and real world experience to give you correct code. Code you can trust.
That really doesn't have a lot to do with AI - when coding professionally, I'm never happy (or sure) with my code until it gets peer reviewed and tested thoroughly.
The AI is a timesaver (sometimes). It's a tool to augment a coder, not a replacement.
-
@tbortels completely agree. This whole exercise is a good example of why I'm not worried that I'll be out of work because "anyone with an LLM can write code now"
Writing code is only a small subset of what it takes to deliver useful (and in this case secure) software
