51b1c25
51b1c2578a2a258ebe3c188d5341d9d544497e482974738
e7b699a| Status | File | + | - |
|---|---|---|---|
| M |
CHANGELOG.md
|
15 | 0 |
CHANGELOG.mdmodified@@ -276,6 +276,21 @@ between minor releases. | ||
| 276 | 276 | preserved verbatim. Paginated with the standard `Link:` headers, |
| 277 | 277 | sorted oldest-first. Scope: `repo:read`. |
| 278 | 278 | - **Capability:** `issue-events` added to `/api/v1/meta`. |
| 279 | +- **Device-code login (S50 §1, RFC 8628).** | |
| 280 | + `POST /login/device/code` issues a fresh authorization grant for | |
| 281 | + a non-browser client (CLI / TV / IoT). `POST /login/oauth/access_token` | |
| 282 | + polls for the user's approval and, on success, mints a PAT bound | |
| 283 | + to the requested scopes. The browser-facing verification page is | |
| 284 | + served at `GET /login/device` (CSRF-protected). The matching CLI | |
| 285 | + endpoints are CSRF-exempt. `client_id` is enforced against an | |
| 286 | + allowlist (default: `shithub-cli`); requested scopes go through | |
| 287 | + the standard `pat.ValidScope` filter so unknown scopes fail | |
| 288 | + cleanly with `invalid_scope`. The minted PAT is disclosed exactly | |
| 289 | + once — subsequent exchanges of the same `device_code` return | |
| 290 | + `invalid_grant` even after successful approval. RFC 8628 §3.5 | |
| 291 | + error semantics (`authorization_pending`, `slow_down`, | |
| 292 | + `access_denied`, `expired_token`) are honored. | |
| 293 | +- **Capability:** `device-code` added to `/api/v1/meta`. | |
| 279 | 294 | |
| 280 | 295 | ### Added (internal) |
| 281 | 296 | |