alanshaw/david-www

[Help] Cannot access private repos via github oauth

Open

#375 opened on Apr 20, 2017

View on GitHub
 (1 comment) (0 reactions) (0 assignees)JavaScript (733 stars) (177 forks)batch import
bughelp wanted

Description

Following the optional "sign in" feature on the README, I attempted to setup github oauth with a privately hosted david-www (AWS Elastic Beanstalk).

:+1: Works with public repos in AWS :+1: Works with private repos with personal token via .davidrc :+1: Returns ?success when using oauth flow

  • Register application
  • Update .davidrc 
    {
  "github": {
    "oauth": {
      "clientId": "",
      "secret": ""
    }
  }
  • Request crsf-token: http://david-www.devtools.biobright.org/csrf-token.json
  • Follow github tutorial on oauth, constructing the url: https://github.com/login/oauth/authorize?client_id=<>&scope=repo,user,read:org&state=<csrf-token>
  • Github shows the user count increase / successful

:+1: Public repos still work :hankey: Private repos fail with 502 Bad Gateway :hankey:

Failed to get package.json <org> <repo> undefined undefined { [Error: {"message":"Not Found","documentation_url":"https://developer.github.com/v3"}]
  message: '{"message":"Not Found","documentation_url":"https://developer.github.com/v3"}',
  code: 404,
  status: 'Not Found',
  headers:
   { server: 'GitHub.com',
     date: 'Thu, 20 Apr 2017 02:22:39 GMT',
     'content-type': 'application/json; charset=utf-8',
     'content-length': '77',
     connection: 'close',
     status: '404 Not Found',
     'x-ratelimit-limit': '60',
     'x-ratelimit-remaining': '45',
     'x-ratelimit-reset': '1492658501',
     'x-github-media-type': 'github.v3; format=json',
     'access-control-expose-headers': 'ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval',
     'access-control-allow-origin': '*',
     'content-security-policy': 'default-src \'none\'',
     'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
     'x-content-type-options': 'nosniff',
     'x-frame-options': 'deny',
     'x-xss-protection': '1; mode=block',
     'x-github-request-id': '<>' } }
/var/app/current/node_modules/hoek/lib/index.js:736
    throw new Error(msgs.join(' ') || 'Unknown error');
    ^

Error: Cannot provide statusCode or message with boom error
    at Object.exports.assert (/var/app/current/node_modules/hoek/lib/index.js:736:11)
    at Object.exports.wrap (/var/app/current/node_modules/boom/lib/index.js:76:10)
    at withManifestAndInfo (/var/app/current/dist/routes/api/project.js:26:43)
    at manifest.getManifest (/var/app/current/dist/routes/helpers/with-manifest-and-info.js:37:25)
    at batch.call.cb (/var/app/current/dist/lib/manifest.js:111:45)
    at Array.forEach (native)
    at Batch.call (/var/app/current/node_modules/david/lib/batch.js:33:7)
    at gh.repos.getContent.err (/var/app/current/dist/lib/manifest.js:111:24)
    at __dirname.sendError (/var/app/current/node_modules/github/lib/index.js:785:13)
    at /var/app/current/node_modules/github/lib/index.js:792:29

Additional debugging... :question: user.json ==> null :+1: Logged the access_token in routes/session.js. Used the token in .davidrc, and I can access private repos just fine ==> suggests that scopes are appropriate :+1: Logged to verified that req.session.get('session/access-token') and req.session.get('session/user')) are indeed set ==> application defo has correct credentials stored in session :question: Unclear if linked to #366

Any ideas?

Contributor guide

Tech stack
javascriptnodejsrest api
Domain
authenticationbackend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
basic OAuth knowledgeGitHub API understandingNode.js debugging skills
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Investigate why OAuth access token fails to retrieve private repos. Check `routes/session.js` for token storage and `dist/lib/manifest.js` for how the token is used in API calls. Compare with working token from `.davidrc`. The 502 suggests a crash; look at the stack trace in `withManifestAndInfo` and `manifest.getManifest`. Test with a private repo using the same token via curl to isolate the issue.