auth-app.js: Using with @octokit/graphql & GHES fails with 406
This is similar to #47, but when using createAppAuth.
We have some code that looks like this:
const { createAppAuth } = require('@octokit/auth-app');
const { graphql } = require('@octokit/graphql');
const { request } = require('@octokit/request');
function graphqlForInstallation(installationId) {
const auth = createAppAuth({
id: GITHUB_APP_ISSUER_ID,
privateKey: PEM,
installationId,
request: request.defaults({
baseUrl: `${GITHUB_BASE_URL}/api/v3`,
}),
});
const graphqlWithAuth = graphql.defaults({
baseUrl: GITHUB_BASE_URL,
request: {
hook: auth.hook,
},
});
return graphqlWithAuth;
}
When this is used with public GitHub it works okay. However, when it is used with GHE v2.18 (specifically tried with 2.18.20), we get an error with the following stack trace (partial, starting at @octokit/auth-app code):
TypeError: Cannot convert undefined or null to object
at Function.keys (<anonymous>)
at set (/usr/src/app/node_modules/@octokit/auth-app/dist-node/index.js:65:63)
at getInstallationAuthentication (/usr/src/app/node_modules/@octokit/auth-app/dist-node/index.js:161:9)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async hook (/usr/src/app/node_modules/@octokit/auth-app/dist-node/index.js:280:7)
I looked into applying the workaround mentioned in #47, but after reading through some of the code here, I think that may not be possible at this time.
Looking at the stack trace, the problem seems to be when octokit is getting installation authentication via the request auth hook
at getInstallationAuthentication (/usr/src/app/node_modules/@octokit/auth-app/dist-node/index.js:161:9)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async hook (/usr/src/app/node_modules/@octokit/auth-app/dist-node/index.js:280:7)
I believe that is called right here: https://github.com/octokit/auth-app.js/blob/71e1d1d8a2672686464a9399655bcd8872da6e58/src/hook.ts#L32
This is calling getInstallationAuthentication with {} as the second argument. Here’s the signature: https://github.com/octokit/auth-app.js/blob/71e1d1d8a2672686464a9399655bcd8872da6e58/src/get-installation-authentication.ts#L11-L15
The second argument here is options, which is where it pulls permissions when making the request:
https://github.com/octokit/auth-app.js/blob/71e1d1d8a2672686464a9399655bcd8872da6e58/src/get-installation-authentication.ts#L58-L61
So since createAppAuth or the hook do not provide a way for us to specify this permissions option, I don’t think we can use this workaround with createAppAuth.
Is there an alternative approach we could use here, or would you be open to making a change to this package to make this work?
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (17 by maintainers)
@gr2m Yep, that works! Here’s my diff:
Apologies for not getting back to you. I’m looking into it right now
We have now updated GHE to 2.20.14, and I just wanted to report that the behavior is the same as I observed with 2.20.12.
We’ve recently updated GHE to 2.20.12 and I tried this stuff again and I’m seeing similar behavior.
{}to{ permissions: {} }in @octokit/auth-app/dist-node/index.js line 288: 406 errorrequestOptions.url = requestOptions.url.replace('/api/app/installations/', '/api/v3/app/installations/');to thefetchWrapperfunction in @octokit/request/dist-node/index.js (line 28): Successful requestSo it seems that the newer version of GHE no longer needs the empty permissions object, but the URLs are still not able to be set correctly to get through a GraphQL request that also ends up making a REST request for authentication, since it tries to POST to
/api/app/installations/<APP ISSUER ID>/access_tokensinstead of/api/v3/app/installations/<APP ISSUER ID>/access_tokens.I did not have time to look into this yet. I will keep you posted.
I think we’re going to try the same thing with github enterprise before we put together a PR (@lencioni and I).