-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using with @octokit/graphql & GHES fails with 406 #111
Comments
Thanks Joe for reporting the issue. I'll be offline until Tuesday, but will look into it afterwards. I'd love a pull request if you get to it, I don't have a way to test against GHES 2.18 myself, I'm afraid |
@gr2m Thanks for the quick response! The best approach here is not super clear to me. Three options immediately come to mind:
Of these options, I think I prefer 3 because the size of the change is relatively small and I think this would help solve this problem everywhere (might allow us to remove the caveat note from the docs). Failing that, my second choice would be 2 because it would still be a small change for me to make. What is your preference here? |
@gr2m I hope you had a great holiday! How do you want to proceed here? |
Thanks! I've still lots of notifications to catch up with :) For option |
I've confirmed that setting
const auth = createAppAuth({
id: GITHUB_APP_ISSUER_ID,
privateKey: PEM,
installationId,
request: request.defaults({
baseUrl: `${GITHUB_BASE_URL}/api/v3`,
}),
});
const client = graphql.defaults({
baseUrl: GITHUB_BASE_URL,
request: {
hook: auth.hook,
},
});
const data = await client(
`
query getCommits($name: String!, $owner: String!, $defaultBranch: String!, $since: GitTimestamp) {
repository(name: $name, owner: $owner) {
ref(qualifiedName: $defaultBranch) {
target {
... on Commit {
id
history(first: 100, since: $since) {
pageInfo {
hasNextPage
endCursor
}
edges {
node {
oid
committer {
date
}
}
}
}
}
}
}
}
}
`,
{
...repository,
since: '2017-10-18T00:00:00.000Z',
},
); This scenario returns the same things with the |
Okay thanks for checking! Would you like to get a pull request started? We can discuss details there |
I think we're going to try the same thing with github enterprise before we put together a PR (@lencioni and I). |
It was tricky to make a successful request to test this. Here's the script I used: const { createAppAuth } = require('@octokit/auth-app');
const { graphql } = require('@octokit/graphql');
const jsonwebtoken = require('jsonwebtoken');
const octokit = require('@octokit/rest');
const { request } = require('@octokit/request');
const { GITHUB_BASE_URL, GITHUB_APP_PEM_BASE64, GITHUB_APP_ISSUER_ID } = process.env;
const PEM = Buffer.from(GITHUB_APP_PEM_BASE64.trim(), 'base64').toString('ascii');
function graphqlForInstallation(installationId) {
const auth = createAppAuth({
id: GITHUB_APP_ISSUER_ID,
privateKey: PEM,
installationId,
request: request.defaults({
baseUrl: `${GITHUB_BASE_URL}/api/v3`,
}),
});
const graphqlWithAuth = graphql.defaults({
baseUrl: `${GITHUB_BASE_URL}/api`,
request: {
hook: auth.hook,
},
});
return graphqlWithAuth;
}
async function main () {
const client = graphqlForInstallation(1);
let data;
try {
data = await client(
`
query getCommits($name: String!, $owner: String!, $defaultBranch: String!, $since: GitTimestamp) {
repository(name: $name, owner: $owner) {
ref(qualifiedName: $defaultBranch) {
target {
... on Commit {
id
history(first: 100, since: $since) {
pageInfo {
hasNextPage
endCursor
}
edges {
node {
oid
committer {
date
}
}
}
}
}
}
}
}
}
`,
{
name: 'repo-name',
owner: 'repo-owner',
defaultBranch: 'master',
since: '2020-06-18T00:00:00.000Z',
},
);
} catch (e) {
throw e;
}
console.log(data);
}
main().catch(e => { console.error(e); }); I was getting stuck on only receiving 406 Not Acceptable responses. I've looked at issues like octokit/request.js#83 which suggest setting the accept header to requestOptions.headers.accept = 'application/json'; Looking at the request URL that we are hitting, I suspected that the base URL here might not be correct. So I added this hacky thing to requestOptions.url = requestOptions.url.replace('/app/installations/', '/api/v3/app/installations/'); which gave me a new error response:
If I remove the accept header hack and leave the URL hack, it seems to get past this to actually make the graphql request! If I leave
If I set it to be So I think adding that empty object resolves part of the problem here for me, but I've also uncovered a different issue which is that I need two different const auth = createAppAuth({
id: GITHUB_APP_ISSUER_ID,
privateKey: PEM,
installationId,
request: request.defaults({
baseUrl: `${GITHUB_BASE_URL}/api/v3`,
}),
});
const graphqlWithAuth = graphql.defaults({
baseUrl: `${GITHUB_BASE_URL}/api`,
request: {
hook: auth.hook,
},
}); |
@gr2m did you find out anything useful yesterday? |
I did not have time to look into this yet. I will keep you posted. |
@gr2m is there any more information I can provide to help move this to the next step? |
I'm very sorry for not getting back to you. I had to focusing on wip/app#239 the past weeks, but that is coming to an end soon, after which I'll go through the open issues and PRs that I have neglected :( |
Thank you! |
We've recently updated GHE to 2.20.12 and I tried this stuff again and I'm seeing similar behavior.
So it seems that the newer version of GHE no longer needs the empty permissions object, but the URLs are still not able to be set correctly to get through a GraphQL request that also ends up making a REST request for authentication, since it tries to POST to |
We have now updated GHE to 2.20.14, and I just wanted to report that the behavior is the same as I observed with 2.20.12. |
@gr2m Can you think of a workaround that we could use in the meantime while this is still an issue? |
Apologies for not getting back to you. I'm looking into it right now |
@lencioni can you try the following
You can also remove request: request.defaults({
baseUrl: `${GITHUB_BASE_URL}/api/v3`,
}), It has no effect in your case Please let me know if that resolves the |
@gr2m Yep, that works! Here's my diff: diff --git a/ghe.js b/ghe.js
index 06a915b..78763ea 100644
--- a/ghe.js
+++ b/ghe.js
@@ -14,13 +14,10 @@ function graphqlForInstallation(installationId) {
id: GITHUB_APP_ISSUER_ID,
privateKey: PEM,
installationId,
- request: request.defaults({
- baseUrl: `${GITHUB_BASE_URL}/api/v3`,
- }),
});
const graphqlWithAuth = graphql.defaults({
- baseUrl: `${GITHUB_BASE_URL}/api`,
+ baseUrl: `${GITHUB_BASE_URL}/api/v3`,
request: {
hook: auth.hook,
},
diff --git a/package-lock.json b/package-lock.json
index 4bb03c0..65b523a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -37,6 +37,18 @@
"@octokit/types": "^5.0.0",
"before-after-hook": "^2.1.0",
"universal-user-agent": "^6.0.0"
+ },
+ "dependencies": {
+ "@octokit/graphql": {
+ "version": "4.5.4",
+ "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.5.4.tgz",
+ "integrity": "sha512-ITpZ+dQc0cXAW1FmDkHJJM+8Lb6anUnin0VB5hLBilnYVdLC0ICFU/KIvT7OXfW9S81DE3U4Vx2EypDG1OYaPA==",
+ "requires": {
+ "@octokit/request": "^5.3.0",
+ "@octokit/types": "^5.0.0",
+ "universal-user-agent": "^6.0.0"
+ }
+ }
}
},
"@octokit/endpoint": {
@@ -50,9 +62,8 @@
}
},
"@octokit/graphql": {
- "version": "4.5.3",
- "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.5.3.tgz",
- "integrity": "sha512-JyYvi3j2tOb5ofASEpcg1Advs07H+Ag+I+ez7buuZfNVAmh1IYcDTuxd4gnYH8S2PSGu+f5IdDGxMmkK+5zsdA==",
+ "version": "https://github.pika.dev/octokit/graphql.js/pr/186",
+ "integrity": "sha512-hUPAXu5w3+rcJ0AjzuGgoQNhYh5QYygRdxvDAP4Nhu/5t/I3dsjaywuapY6sEsjno+O3ObYzUNDzcr0w4FKGxQ==",
"requires": {
"@octokit/request": "^5.3.0",
"@octokit/types": "^5.0.0",
diff --git a/package.json b/package.json
index 838756e..86a1197 100644
--- a/package.json
+++ b/package.json
@@ -11,7 +11,7 @@
"license": "ISC",
"dependencies": {
"@octokit/auth-app": "^2.4.14",
- "@octokit/graphql": "^4.5.3",
+ "@octokit/graphql": "https://github.pika.dev/octokit/graphql.js/pr/186",
"@octokit/request": "^5.4.7",
"@octokit/rest": "^18.0.3",
"jsonwebtoken": "^8.5.1" |
This is similar to #47, but when using
createAppAuth
.We have some code that looks like this:
When this is used with public GitHub it works okay. However, when it is used with GHE v2.18 (specifically tried with 2.18.20), we get an error with the following stack trace (partial, starting at @octokit/auth-app code):
I looked into applying the workaround mentioned in #47, but after reading through some of the code here, I think that may not be possible at this time.
Looking at the stack trace, the problem seems to be when octokit is getting installation authentication via the request auth hook
I believe that is called right here:
auth-app.js/src/hook.ts
Line 32 in 71e1d1d
This is calling getInstallationAuthentication with
{}
as the second argument. Here's the signature:auth-app.js/src/get-installation-authentication.ts
Lines 11 to 15 in 71e1d1d
The second argument here is
options
, which is where it pullspermissions
when making the request:auth-app.js/src/get-installation-authentication.ts
Lines 58 to 61 in 71e1d1d
So since
createAppAuth
or the hook do not provide a way for us to specify this permissions option, I don't think we can use this workaround withcreateAppAuth
.Is there an alternative approach we could use here, or would you be open to making a change to this package to make this work?
The text was updated successfully, but these errors were encountered: