We have detected you have the following credentials that are 2 years or older

About 11h ago, we upgraded to Discourse 2.5.0.beta5. I subsequently received a message from the system account that said:

We have detected you have the following credentials that are 2 years or older

github_client_secret - 2016-08-26 20:07:03 UTC

These credentials are sensitive and we recommend resetting them every 2 years to avoid impact of any future data breaches

This is a bit surprising. Although I’m an admin on the site, I don’t use github credentials to log in.

  1. What is the github_client_secret? Where is it used?
  2. How would I reset its value?

My Google-fu isn’t strong this morning. Any links would be appreciated. Many thanks.

2 Likes

Yes, this was a new and experimental feature and we pushed it out a bit too soon. My apologies.

This is more of an informational thing that doesn’t require direct action.

We’re toning it down and defaulting it off for this release, but we believe that it has long term merit in terms of warning people about many years old shared credentials.

I think in this case if you’re not using GitHub authentication for your user logins, as in “Log in with GitHub”, you could remove those settings. But if your users are using GitHub to log in, you probably still want it – you could cycle the secret if you desire via the github website.

8 Likes

Ah, the experimental feature that slipped out. No biggie.

I’m not sure how to do this, so it would be really helpful to provide a link to Github that tells how to “… cycle the secret if you desire via the github website.”

Thanks.

2 Likes