gh net crashes when token must be authorized for SSO

[jessehouwing]

Describe the bug
when running gh net the cli is trying to download the latest release from the github/gh-net repo. To do so it passes the access token that the gh auth login got or the token in the GH_TOKEN environmnent variable.

That token must be authorized by SSO, if you're a member of the github org on github. Which I now am.

This crashes the gh-net extension

Reproduce steps
Steps to reproduce the behavior:

1. Be signed in on your personal account that's also a member of the github org (I'm a contractor)

2. set the environment variable GH_TOKEN with a valid github token. Authorize the token on the Github org using the token Configure SSO option.

   • Permissions granted:
     • codespaces: *
     • repo: public repo
       

3. run gh net

4. Select the codespace

? Choose codespace: jessehouwing/training-manual (main*): verbose space couscous
' panicked at 'Job to copy from stream to queue stopped.', D:\a\codespaces-vpn-gateway\codespaces-vpn-gateway\vpn-gateway\src\start_client.rs:258:5
stack backtrace:

could not check for binary extension: HTTP 403: Resource protected by organization SAML enforcement. You must grant your OAuth token access to this organization. (https://api.github.com/repos/github/gh-net/releases/latest)
Authorize in your web browser:  https://github.com/orgs/github/sso?authorization_request=JGSJDGJFSLSFHKJSHFKJSHKJSHFKJHFKJHSFKHSKJFHSFKJHSFKHSFKJSHFKJSHFKJSHFKSHFKSHFKJSHFK
shell closed: exit status 1

note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Expected behavior
The ssh tunnel is setup correctly

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows
• Version 11 22H2
• Platform architecture: AMD64

Setting a full-scope PAT that's SSO-enabled still won't work. It either throws the above error or this one:

│                                                │   ···thread '<unnamed>' panicked at 'Job to copy from stream to queue stopped.', D:\a\codespaces-vpn-gateway\codespaces-vpn-gateway\vpn-gateway\src\start_client.rs:258:5                   │
stack backtrace:                                                                                                       │
   0:     0x7ff67071dd6f - <unknown>                                                                                   │
   1:     0x7ff67074020a - <unknown>                                                                                   │
   2:     0x7ff6707151d9 - <unknown>                                                                                   │
   3:     0x7ff67072083b - <unknown>                                                                                   │
   4:     0x7ff6707204bb - <unknown>                                                                                   │
   5:     0x7ff670720de9 - <unknown>                                                                                   │
   6:     0x7ff67021b9ea - <unknown>                                                                                   │
   7:     0x7ff67021ac97 - <unknown>                                                                                   │
   8:     0x7ff67075735d - <unknown>                                                                                   │
   9:     0x7ff6701da91a - <unknown>                                                                                   │
  10:     0x7ff6702221cb - <unknown>                                                                                   │
  11:     0x7ff670234c84 - <unknown>                                                                                   │
  12:     0x7ff67021b4a1 - <unknown>                                                                                   │
  13:     0x7ff67020af41 - <unknown>                                                                                   │
  14:     0x7ff67072c3bc - <unknown>                                                                                   │
  15:     0x7ffdaa4a26ad - BaseThreadInitThunk                                                                         │
  16:     0x7ffdaaccaa68 - RtlUserThreadStart                                                                          │
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Any { .. }', C:\Users\runneradmin\.cargo\registry\src\github.com-1ecc6299db9ec823\cs-utils-0.21.1\src\utils\futures\with_thread.rs:83:17                               │
stack backtrace:                                                                                                       │
   0:     0x7ff67071dd6f - <unknown>                                                                                   │
   1:     0x7ff67074020a - <unknown>                                                                                   │
   2:     0x7ff6707151d9 - <unknown>                                                                                   │
   3:     0x7ff67072083b - <unknown>                                                                                   │
   4:     0x7ff6707204bb - <unknown>                                                                                   │
   5:     0x7ff670720de9 - <unknown>                                                                                   │
   6:     0x7ff670720ced - <unknown>───────────────────────────────────────────────────────────────────────────────────┘
   7:     0x7ff67071e9a7 - <unknown>
   8:     0x7ff6707209c9 - <unknown>
   9:     0x7ff670776615 - <unknown>
  10:     0x7ff670776723 - <unknown>
  11:     0x7ff6701df253 - <unknown>
  12:     0x7ff6701fd8bb - <unknown>
  13:     0x7ff6701f36bc - <unknown>
  14:     0x7ff6701b5fdf - <unknown>
  15:     0x7ff6701dec85 - <unknown>
  16:     0x7ff6701e6b14 - <unknown>
  17:     0x7ff6701bb6ae - <unknown>
  18:     0x7ff6701cf9bd - <unknown>
  19:     0x7ff670222d75 - <unknown>
  20:     0x7ff67020fd3b - <unknown>
  21:     0x7ff670235672 - <unknown>
  22:     0x7ff670211ca8 - <unknown>
  23:     0x7ff67021b606 - <unknown>
  24:     0x7ff67021b99c - <unknown>
  25:     0x7ff67070d211 - <unknown>
  26:     0x7ff670211e27 - <unknown>
  27:     0x7ff67075510c - <unknown>
  28:     0x7ffdaa4a26ad - BaseThreadInitThunk
  29:     0x7ffdaaccaa68 - RtlUserThreadStart

[jessehouwing]

Found a workaround.

In the codespace do the following:

@jessehouwing ➜ /workspaces/training-manual (main ✗) $ unset GITHUB_TOKEN
@jessehouwing ➜ /workspaces/training-manual (main ✗) $ gh auth login
? What account do you want to log into? GitHub.com
? What is your preferred protocol for Git operations? HTTPS
? Authenticate Git with your GitHub credentials? Yes
? How would you like to authenticate GitHub CLI? Login with a web browser

! First copy your one-time code: XXXX-XXXX
Press Enter to open github.com in your browser... 
✓ Authentication complete.
- gh config set -h github.com git_protocol https
✓ Configured git protocol
✓ Logged in as jessehouwing
@jessehouwing ➜ /workspaces/training-manual (main ✗) $ gh extension install github/gh-net

Now it's possible to connect using gh net from the windows side. Looks like the error I'm getting on windows isn't happening on my local machine, but is the error that happens on the Codespaces side.

[jessehouwing]

Ideally the local gh net extension would ssh-copy the required files to the target codespace or use an anonymous request to download the release bits.

[legomushroom]

This is an old issue in GH CLI itself - it tries to use existing token for public repos which is failing in some cases. Related issue: cli/cli#6675

[jessehouwing]

The workaround could be to use the local session to download the gh-net resources, instead of having the codespace do it. In case of gh-net the remote will probably never have the right token configured.

That way the Oauth prompt and authorization can be handled locally. Or the ssh session could wait for the token to be authorized, cause GitHub does send the url to authorize the token, or will it still not work after authorization?

It could also unset the github_token environment variable on the codespace prior to trying to download the extension, that worked for me. I couldn't find the sources for gh-net, but it looks like it remotely runs a shell on codespaces to invoke the download if the release stuff. That looks like it could control the contents of the token prior to invitation...

Ideally though, gh-net wouldn't crash and would relay the error message properly.