Could not fetch a list of the store channels: Request failed with status code 403

[chmelev]

Expected behavior

Theme gets applied without errors when doing the stencil push

Actual behavior

Theme application step (after the "Would you like to apply your theme to your store?" question) fails with the following error:

not ok -- Error: Could not fetch a list of the store channels: Request failed with status code 403

Steps to reproduce behavior

Get the latest (4/8/2024) stencil-cli, do the stencil init, and then stencil push.
NOTE - the pre-4/8/2024 version works fine

Environment

Stencil-cli version stencil --version: 7.4.2

Node version node -v: 18.19.0

NPM version npm -v: 10.2.3

OS: fails on Windows and Linux

[AndrewBarber]

Initial look into this, I am thinking that the access token used, does not have access to ${apiHost}/stores/${storeHash}/v3/channels endpoint.

Looking into docs to see what permissions are required...

[AndrewBarber]

Ok looks highly likely this is permissions of the access token. Steps to recreate:

Goto: BCAdmin > Settings > Store-level API account > Create API Account
Generate Token type = Stencil CLI token

The token generated does not have access to /v3/channels. Which is now used within stencil cli here.

{
    "status": 403,
    "title": "You don't have a required scope to access the endpoint",
    "type": "https://developer.bigcommerce.com/api-docs/getting-started/api-status-codes",
    "errors": {}
}

[chmelev]

How am I supposed to get the Stencil CLI token with /v3/channels access? Is that an undocumented feature?

[AndrewBarber]

I'd expect that BC will need to fix this functionality when the token is generated from BC Admin.

Two options to unblock you immediately would be:

• You could generate a V2/V3 token with the correct permissions. (I'm unable to check what those would be at the moment as I'm on mobile)
• Use a version of stencil cli prior to 7.4.2.

[tzvimoshe]

Following

[bc-jz]

Hi @chmelev,

Thank you for reporting this issue and sorry about the problem. I didn't recognize when adding this new "channels" request that the standard Stencil CLI token was missing the needed "read-only channel settings" scope. That became required with this change:
#1180

We have released a new update, version 7.5.1, that will address this issue for people running into the scope error. Please go ahead and update to the latest version of stencil-cli for a quick fix. Our change will simply bypass the scope error and make things act as they did before the update that introduced this new scope requirement (version 7.4.2).

Downgrading to version 7.4.1 or below is another way to resolve this issue quickly.

This new "channels" scope is here to stay though so to accommodate that going forward, you will need to generate a new stencil cli auth token that includes the "read-only channel settings" permission (as suggested by @AndrewBarber).

That can be done within the control panel under Settings -> Api -> Store-level Api Accounts but you do need store owner level access to the store to do this. Right now when creating the new token you must manually add this new scope:

We are also in the process of updating the standard "Stencil CLI token" to include the "read-only channel settings" scope. Before long simply regenerating that specific token will correct this issue as well:

Feel free to let me know if you have questions about this. Sorry again about this oversight.

[chmelev]

Hi @bc-jz,

Just to be clear - while the Stencil CLI Token generation is being fixed, you're suggesting using the V2/V3 API Token instead, right?

[bc-jz]

Hi @bc-jz,

Just to be clear - while the Stencil CLI Token generation is being fixed, you're suggesting using the V2/V3 API Token instead, right?

I am suggesting it as a possible replacement but if you don't want to bother with choosing the correct scopes then you can just wait for the stencil cli token update. That should be available in the next day and once you are on version 7.5.1+ of stencil-cli, there is no longer a blocking failure if your auth token is missing the "store channel settings read only" scope.

The "stencil CLI token" is simply a v2/v3 api token where we predefine the scopes it should have available based on the actions taken when utilizing stencli-cli. The necessary scopes you would apply to match what we will have on the stencil cli token are:

• store sites read only
• store information
• store channel settings read only

There is one more scope that changes depending on if you are only doing local development or needing to publish changes. If you need to publish changes then you need the store_themes_manage scope. That can be more conservatively set to store_themes_read_only if you are only doing local development.

The danger with generating a v2/v3 api token to replace the stencil cli token is simply that you apply too many or too few scopes. Too few can result in errors like we have seen with this missing Channels scope. Too many would grant whomever is using this token greater access to your store's api than what is necessary to do theme development.

[bc-jz]

To close the loop on this I confirmed that the Stencil CLI token generated in the Control Panel now has all needed scopes to work properly with the newest versions of stencil-cli. As a summary for anyone seeing 403 errors when using version 7.4.2 or 7.5.0 of stencil-cli:

1. You should regenerate your "Stencil CLI" token to get the scopes needed to avoid the error.
2. If you can't get a new token soon you can downgrade to 7.4.1 or update to 7.5.1+ to also get around the error.