Authentication overview
24 Pull Requests integrates with GitHub to provide its core functionality, which involves tracking user contributions to open-source projects during the annual December initiative. Consequently, user authentication for 24 Pull Requests is handled exclusively through GitHub OAuth 2.0. This means that users do not create separate accounts or credentials directly with 24 Pull Requests. Instead, they authorize 24 Pull Requests to access specific, limited information from their existing GitHub account.
The OAuth 2.0 flow ensures that 24 Pull Requests never receives or stores a user's GitHub username or password. Instead, an access token is issued by GitHub after the user successfully authenticates on GitHub's platform and grants the necessary permissions. This token allows 24 Pull Requests to retrieve public profile data, such as a user's GitHub username and repository activity, which is essential for identifying contributions and displaying them on the 24 Pull Requests platform. The authorization process is initiated when a user attempts to log in or connect their GitHub account on the 24 Pull Requests website, redirecting them to GitHub's authorization page.
Supported authentication methods
24 Pull Requests supports a single, standardized authentication method: GitHub OAuth 2.0. This approach simplifies the user experience by leveraging an existing identity provider and enhances security by delegating credential management to GitHub. The primary use case for this authentication is to identify users and track their pull request contributions against the open-source projects listed on the platform.
| Method | When to Use | Security Level |
|---|---|---|
| GitHub OAuth 2.0 | Logging in to 24 Pull Requests, linking GitHub profile for contribution tracking | High (delegated to GitHub's security infrastructure, token-based access) |
The choice of GitHub OAuth 2.0 aligns with the platform's mission to facilitate open-source contributions, as GitHub serves as the primary repository hosting and collaboration platform for most of these projects. This integration allows 24 Pull Requests to display a user's public contributions accurately and provides a seamless experience for developers already active on GitHub.
Getting your credentials
Since 24 Pull Requests uses GitHub OAuth 2.0, you do not generate specific credentials for 24 Pull Requests itself. Instead, you use your existing GitHub account credentials. The process to authenticate and link your GitHub account with 24 Pull Requests involves the following steps:
- Navigate to 24 Pull Requests: Go to the 24 Pull Requests homepage.
- Initiate Login/Connect: Look for a "Log in with GitHub" or "Connect GitHub" button, typically located in the navigation bar or a prominent section of the site.
- Redirect to GitHub: Clicking this button will redirect your browser to GitHub's authorization page. This page will display information about the permissions 24 Pull Requests is requesting (e.g., access to your public profile, user email).
- Authorize Application: If you are not already logged into GitHub, you will be prompted to enter your GitHub username and password. After successful login, or if already logged in, you will be asked to review and authorize the specific permissions requested by 24 Pull Requests.
- Grant Access: Click "Authorize" to grant 24 Pull Requests the necessary access.
- Redirect back to 24 Pull Requests: GitHub will then redirect your browser back to the 24 Pull Requests website, along with an authorization code. 24 Pull Requests exchanges this code for an access token directly with GitHub's servers.
- Completion: You will now be authenticated on 24 Pull Requests, and your GitHub profile will be linked, allowing the platform to track your contributions.
It is crucial to review the requested permissions on the GitHub authorization page carefully before granting access. 24 Pull Requests typically requests minimal scopes necessary for its functionality, primarily related to public profile information and repository events to identify pull requests.
Authenticated request example
As 24 Pull Requests is a web-based platform that leverages GitHub's API behind the scenes for tracking contributions, users do not typically make direct authenticated API requests to 24 Pull Requests. Instead, the authentication process described above grants the 24 Pull Requests web application the ability to make requests to the GitHub API on the user's behalf. The user's interaction is primarily through the browser-based interface.
However, understanding how the underlying authentication works can be illustrated by considering a conceptual client-server flow for a web application using GitHub OAuth:
# Conceptual flow for a web application (like 24 Pull Requests) interacting with GitHub API after user authorization
# 1. User clicks "Login with GitHub" on 24pullrequests.com
# -> Browser redirects to GitHub authorization URL
# 2. GitHub authenticates user and asks for permission
# -> User grants permission
# 3. GitHub redirects back to 24pullrequests.com with an authorization code
GET https://24pullrequests.com/callback?code=YOUR_AUTHORIZATION_CODE
# 4. 24 Pull Requests server exchanges code for an access token (server-to-server request)
POST https://github.com/login/oauth/access_token
Content-Type: application/json
Accept: application/json
{
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET",
"code": "YOUR_AUTHORIZATION_CODE"
}
# 5. GitHub responds with access token
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "gho_YOUR_ACCESS_TOKEN_FROM_GITHUB",
"token_type": "bearer",
"scope": "public_repo,user:email"
}
# 6. 24 Pull Requests server then uses this access token to make API calls to GitHub
# (e.g., to fetch user's public repositories or pull requests)
GET https://api.github.com/user
Authorization: Bearer gho_YOUR_ACCESS_TOKEN_FROM_GITHUB
User-Agent: 24pullrequests-app
# Example GitHub API response for user data
HTTP/1.1 200 OK
Content-Type: application/json
{
"login": "octocat",
"id": 1,
"node_id": "MDQ6VXNlcjE=",
"avatar_url": "https://github.com/images/error/octocat_happy.gif",
"gravatar_id": "",
"url": "https://api.github.com/users/octocat",
"html_url": "https://github.com/octocat",
"followers_url": "https://api.github.com/users/octocat/followers",
"following_url": "https://api.github.com/users/octocat/following{/other_user}",
"gists_url": "https://api.github.com/users/octocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/octocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/octocat/subscriptions",
"organizations_url": "https://api.github.com/users/octocat/orgs",
"repos_url": "https://api.github.com/users/octocat/repos",
"events_url": "https://api.github.com/users/octocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/octocat/received_events",
"type": "User",
"site_admin": false,
"name": "monalisa octocat",
"company": "GitHub",
"blog": "https://github.com/blog",
"location": "San Francisco",
"email": "[email protected]",
"hireable": false,
"bio": "There once was...",
"twitter_username": "monalisa",
"public_repos": 2,
"public_gists": 1,
"followers": 20,
"following": 0,
"created_at": "2008-01-14T04:33:35Z",
"updated_at": "2008-01-14T04:33:35Z"
}
This sequence illustrates that the authentication is managed by GitHub, and 24 Pull Requests acts as a client application consuming GitHub's API with the user's permission. The access token obtained is stored securely by 24 Pull Requests's backend to make subsequent calls to the GitHub API on behalf of the user, without requiring the user to re-authenticate with GitHub for every action.
Security best practices
When authenticating with 24 Pull Requests via GitHub OAuth, users should observe several security best practices to protect their GitHub account and data:
- Review Requested Permissions: Always carefully examine the permissions that 24 Pull Requests requests on the GitHub authorization page. Ensure that the requested scopes align with the expected functionality of 24 Pull Requests. Minimal permissions are generally preferred to limit potential exposure. For more details on GitHub's OAuth scopes, refer to the GitHub documentation on OAuth scopes.
- Use Strong, Unique GitHub Passwords: Since 24 Pull Requests relies entirely on GitHub for authentication, the security of your GitHub account directly impacts your security on 24 Pull Requests. Use a strong, unique password for your GitHub account that is not reused on other services.
- Enable Two-Factor Authentication (2FA) on GitHub: Activating 2FA on your GitHub account adds an essential layer of security. Even if your password is compromised, an attacker would still need access to your second factor (e.g., a mobile device) to log in. GitHub provides detailed instructions for configuring 2FA.
- Regularly Review Authorized GitHub Applications: Periodically check the list of applications authorized to access your GitHub account. You can do this in your GitHub settings under "Applications" or "Authorized OAuth Apps." Revoke access for any applications you no longer use or recognize. This ensures that old or forgotten connections do not pose a security risk.
- Be Wary of Phishing Attempts: Always verify that you are on the legitimate GitHub domain (
github.com) before entering your credentials. Phishing attacks can mimic login pages to steal your information. - Understand Data Sharing: Be aware that by authorizing 24 Pull Requests, you are allowing it to access the specific GitHub data outlined in the permissions. This typically includes your public profile and contribution history, which is necessary for the platform's core function.
By following these best practices, users can ensure a secure and controlled authentication experience when participating in the 24 Pull Requests initiative.