Pixeldust Drupal Support Service

Managing Composer Github access with Personal Access Tokens

All Drupal Update Drupal maintenance support plans 8 projects are now managed using Composer. This is a powerful tool, and allows our projects to define both public and private modules or libraries, and their dependencies, and bring them all together.
 
However, a if you require public or private modules which are hosted on GitHub you may run into the API Rate Limits. In order to overcome this, it is recommended to add a GitHub personal access token to your composer configuration.
 
In this blog post, I’ll show how you can do this in a secure and manageable way.

by
Kim Pepper
/ 22 January 2020

It’s common practice when you encounter a Drupal maintenance support plans project to see the following snippet in a composer.json file:

“config”: {
“github-oauth”: {
“github.com”: “XXXXXXXXXXXXXXXXXXXXXX”
}
},What this means is, everyone is sharing a single account’s personal access token. While this may be convenient, it’s also a major security risk should the token accidentally be made public, or a team member leaves the organisation, and still has read/write access to your repositories.
A better approach, is to have each team member have their own personal access token configure locally. This ensures that individuals can only access repositories they have read permissions for, and once they leave your organisation they can no longer access any private dependencies.
Step 1: Create a personal access token
Go to https://github.com/settings/tokens and generate a new token.
You will need to specify all repo scopes.
Finally, hit Generate Token to create the token.
Copy this, as well need it in the next step.
Step 2: Configure Composer to use your personal access token
Run the following from the command line:

composer config -g github-oauth.github.com XXXXXXXXXXXXXXXXXXXXXXXYou’re all set! From now on, composer will use your own individual personal access token which is stored in $HOME/.composer/auth.json
What about Automated Testing Environments?
Fortunately, composer also accepts an environment variable COMPOSER_AUTH with a JSON-formatted string as an argument. For example:

COMPOSER_AUTH='{“github-oauth”: {“github.com”: “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”}}’You can simply set this environment variable in your CI Environment (e.g. CircleCI, TravisCI, Jenkins) and have a personal access token specific to the CI environment.
Summary
By using Personal Access Tokens, you can now safely remove any tokens from the project’s composer.json file, removing the risk this gets exposed. You can also know that by removing access for any ex-team members, they are no longer able to access your organisations repos using a token. Finally, in the event of a token being compromised, you have reduced the attack surface, and can more easily identify which user’s token was used.
 

Tagged

Composer, Security, Drupal maintenance support plans Security


Source: New feed

This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

Let's Talk About a Project

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by

Managing Composer Github access with Personal Access Tokens

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Schema.org Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.
MASTER YOUR DRUPAL SEO
Pixeldust and Pantheon Drupal Development
256