support private repositories about composer-service HOT 14 CLOSED

we need an github oauth expert :) @ubermuda ?

from composer-service.

he was my mentor back at Knp 👶 and now he is back to teach me more 👶 /o/

from composer-service.

👍

from composer-service.

Sooo... how can we do that? :)

from composer-service.

I guess it would mean :

• a "login with GitHub" button
• each composer update is launched with a special profile if user is connected so a deploy key added to a repo can't be used by another user
• on each private repo we add a deploy key to the repo

from composer-service.

Ok I'll try something thanks :)

from composer-service.

@pborreli thinking a bit further this could also be another "upload" option (despite upload composer.json, composer.lock).

So one could choose a project out of the list of github projects he has access to (after a oauth-login).

So the user would select a github project and composeraas would fetch the composer.json/.lock from github instead of a file upload

from composer-service.

@staabm this is not the same idea. We are talking about supporting private dependencies.

In effect, for EACH private dependency, we need a github oauth token (assuming the dependency is on github) that has admin access to the repository, so we can add a deploy key to it in order to be able to download it. The catch is you can't re-use that deploy key for any other composeraas job unless you know the user is the same as the one you installed the deploy key for, or you're risking to give some code to someone who is not normally allowed to access it. And you need to do that for every private dependency.

from composer-service.

ok I didn't understand..

from composer-service.

Imagine this scenario:

You submit a composer.json with a dependency to a private repository of yours (say youbs/foo). Composeraas makes you authenticate to github and adds a deploy key to youbs/foo so that it can actually download the dependency. Very well. Now say I have knowledge of the existence of this repository, I just have to submit a composer.json with a dependency to it and composeraas will download it and hand me your (private) sources.

What this means is you have to check that the person who submits the composer.json actually has access to every private dependency they are requesting in the composer.json they are submitting.

from composer-service.

Ok, I get it, thank you!

from composer-service.

I think my initial thought was never thought in this way. Hmm or maybe i am misunderstanding. My initial thought was how i plug on my server accesses to remote private repositories and have my own SaaS fetch these dependencies. So it is more a setup documenting issue more than make things complicated unnecessarily in the current official site.

from composer-service.

if you need to access your own private repository with your own installation of the project, just launch the consumer with a user who has access to them

from composer-service.

maybe we should open documentation for installing it in-house. Closing this as i got my answer.

from composer-service.