Prevent building and publishing plugins from different repositories other than authors

[rockstardev]

Right now, there's nothing preventing someone from linking repositories under different GitHub accounts and then publishing plugins. This means there could be multiple "by Kukks" plugins published by different Plugin Builder accounts - some of which Kukks doesn't control.

[TChukwuleta]

For this, we can do something around TXT domain verification with the Github repo... A possible solution

I'd try wrapping my head around this.. and once I have a headway, I can tackle this.

Any other alternative?

[rockstardev]

It would have something to do with people specifying their GitHub account and verifying it. Once that is set, you can only publish from repositories in that account.

[TChukwuleta]

So flow I came up with..
Use a flag to confirm if the user has validated their github repository...
Before the user can create a new slug, we use the flag to know if we would redirect to the verification process screen or allow the user continue with the plugin creation process..

The user would submit a github profile url..
To verify the github profile:
A unique Id (UUID) would be generated for the user
The user would be required to create a new public github gist and then use the generated UUID as the content of the gist.
Once created, the user would submit the gist ID...

How the plugin builder verifies..
Using the Gist APIs... Validate that the gist Id submitted exist.
There is a owner.login property which corresponds to the user that created the gist.. Validates that the value matches the github profile URL submitted.
Confirm also from the api response that the token generated matches the content of the file in the response.

I believe this flow confirms the user. Then we can update our initial flag...

See scrambled implementation for the verification process.
https://gist.github.com/TChukwuleta/3b545497ae012c40574ec842cbe373ab

if you think this can fly, I can assign to myself

[dennisreimann]

Rather than using a separate gist, why not simply add a file at the root of the plugin build dir, which contains the plugin UUID?

[TChukwuleta]

hmm.. So for every new plugin they would need to add the file..

So two things I was considering was that I didn't want to save the UUID, it would be cached on client side till validation is complete.. The user can delete the gist afterwards.

And then it was just going to be a one time validation.

But yea, yours works too

[dennisreimann]

So for every new plugin they would need to add the file..

I don't think it's a problem and the builder can immediately do the verification on checkout.

[rockstardev]

Guys, let's not create these extended discussion threads because I don't have time to go the whole day back and forth on different approaches and waste time chatting on issues.

We have a meeting today. Let's agree on one approach and then proceed to implement it.

I think gist allows us to verify GitHub username as well, and one time check like that should work. Once we have it - then during every publish you can still enforce this check to ensure user is not switching between repositories and that's it.