RFC: Verified Account Linking #71
Conversation
|
Would this be queryable from the outside, ie, if i know someone's github, i could trivially determine which npm account is linked to it? |
|
Potentially, yes! The registry will store that information. This RFC outlines a CLI-based interface for interacting with that information, which doesn't preclude making it available via a general-purpose API. |
djsauble
added
Agenda
|
Would these all just be OAuth handshakes? I know I've come across similar features on other platforms. If I make an account on npm, and want to link my github, I have to log into github to prove I own that account. Which is an OAuth flow right? Can we still accomplish this from the CLI? |
|
The CLI can provide you a URL you need to visit to complete the oauth flow, which is a standard way to complete the oauth dance from the CLI. |
|
@djsauble have you looked into something like how keybase verifies identity? https://keybase.io/docs/proof_integration_guide |
|
This has already been implemented for GitHub and Twitter. |
|
@nickmccurdy is this queryable via the api? also, can i link an npm org to a github org? |
Yes: https://registry.npmjs.org/-/npm/v1/user
I can't confirm this since I'm not in any npm orgs, but I'm assuming no, since this is documented as an account level feature. |
|
I'm not sure the RFC can be considered completed if it doesn't work for orgs? |
|
You could at least verify based on who published the package though, right? |
|
if it was based on publishes it’d be in package.json; this is a momentary setting that isn’t connected to publishes. |
|
I mean you could programatically find the publishing user and then look up their profile via the api. |
|
true - altho unfortunately the packument only preserves the npm username at the time of publish, not the github account they were linked with at the time, and i'm not sure the github api can tell me what historical permissions an account had |
What / Why
Add a verified way to link your npm account with other accounts that you own.
OSS works because of its web of trust. When anyone can masquerade as anyone else, this web of trust is weakened. We need a way for someone linking their (for example) GitHub or Twitter account to prove ownership of those linked accounts.
See the RFC for more details.