feat(provider): use more restrictive default scope for GitHub (nextau…

…thjs#2579) When using the default settings of the Github provider, with the "user" scope, it grants read/write access to profile info only. By changing to "read:user" and "user:email" it will only request read-only access https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps BREAKING CHANGE: By default, the GitHub Provider scope won't ask for full write access to user profiles. If you need that, you will now have to add the `user` scope to your configuration.
anthonyringoet · Aug 21, 2021 · e15bf9b · e15bf9b
1 parent e06ced5
commit e15bf9b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/providers/github.js b/src/providers/github.js
@@ -3,7 +3,7 @@ export default function GitHub(options) {
     id: "github",
     name: "GitHub",
     type: "oauth",
-    authorization: "https://github.com/login/oauth/authorize?scope=user",
+    authorization: "https://github.com/login/oauth/authorize?scope=read:user+user:email",
     token: "https://github.com/login/oauth/access_token",
     userinfo: "https://api.github.com/user",
     profile(profile) {