Credentials Issue

[Huddie]

Describe the bug
I'm trying to fix my PR #2157.

My example gif shows a "something went wrong" error. At first, I assumed it was some maybe network issue or something since the error is the generic one (so who really knows). I just assumed it didn't code I changed since I didn't really change anything that I can see would ever effect it.

I printed the result in addCommentClient.swift under the case: .faliure

the result is:

failure(Optional(Although you appear to have the correct authorization credentials,
the GitHawkApp organization has enabled OAuth App access restrictions, meaning that data
access to third-parties is limited. For more information on these restrictions, including
how to whitelist this app, visit
https://help.github.com/articles/restricting-access-to-your-organization-s-data/
))

I guessed it may have been my Github Client ID or Secret but

1. The app shouldn't sign me in if those aren't valid (pretty sure)
2. I added them again to make sure it was right and I'm pretty sure they are fine.

Note: Using the Testflight version of githawk works fine.

To Reproduce
Umm.. unsure.

Expected behavior
For the comment to post successfully

Screenshots
See PR with gif

Anyone have an idea of stuff I can try? Did I just forget to do something obvious? Does my code in the PR seem to mess something up in this regard? (I really don't think its the code cause it works for my other repos

Any help is appreciated

[rnystrom]

So is this a bug with the latest App Store version? Do we need to disable OAuth restrictions?

_{Sent with GitHawk}

[Huddie]

@rnystrom no this post is from the App Store version.
Not sure what is causing the error on my specific branch

_{Sent with GitHawk}

[jsg2021]

i’m also getting “something went wrong” on various projects.

though, this post was made in the app... so, not sure what’s up. (trying to comment on an issue in babel’s repo fails)

[Huddie]

Mine also works with certain one and not others. @jsg2021 What’s your access level on Babel?

_{Sent with GitHawk}

[jsg2021]

I don’t have any. Just what the public has.

[Huddie]

Ya idk it’s weird that we’d be getting that error for posting a comment. @BasThomas @rnystrom any ideas?

_{Sent with GitHawk}

[rnystrom]

I thought I saw some weird inconsistencies w/ auth between PAT and normal login b/c of third-party scopes. Is that what this is from?

[Huddie]

I logged in normally.

_{Sent with GitHawk}

[ijm8710]

@rnystrom since we closed my issue ticket today, do you have any idea what may cause it.

Also expanding on op that I’ve received this error when:

• Posting comments
• Opening/closing tickets

[rnystrom]

I don’t and haven’t had time to investigate. Would love someone’s help here.

_{Sent with GitHawk}

[Huddie]

@ijm8710 What version does this occur on for you? App Store/ TestFlight/ forked build?

For me, I haven’t experienced this error in App Store or TestFlight but from my personal fork I have.

_{Sent with GitHawk}

[ijm8710]

@Huddie testflight

The failure to post a comment is this newest one “...7256” and was produced on this repository

And the close reopen auth error was the testflight build right before it “...0019” and was produced in the cr-api-ux repository

Both issues have worked at other times in the same exact repository so it’s not restricted permissions

[ijm8710]

@Huddie is there any other info I could give to help. I’m seeing this almost daily, but only in this app, works fine in codehub and native GitHub

[ijm8710]

@rnystrom I’m seeing this super super often, essentially several times daily. I know you said a week and a half ago, you didn’t have a ton of time to investigate yourself. Is there anything that would be helpful to provide for perhaps someone to take over with more detail. Among the people most involved like bas and others, any idea who’s subject matter this best fits with?

Not to overreact, but, imo, this is a pretty significant big, it essentially makes me resort to going to github or another 3 party app every time just to post a comment which could def drive users away.

Keep in mind, it seems repo dependent. I don’t see it often, if ever, here, but I see it a ton in other specific repos.

[rnystrom]

@ijm8710 you seem to be the one hitting the the most, so you’d be a great champion to fixing it. Some ways you can contribute:

• Use Flex network debugging to inspect error messages and codes
• Read the GitHub API docs and suggest what needs changed
• GraphiQL or another REST API tool might help
• Try with a test account and see if it consistently happens

I appreciate that you’re reporting issues, but I prioritize my time based off the biggest issues, and when it’s one person hitting something I’d rather fix a bug or add a feature that everyone else is able to benefit from.

I made this project free and open source so it can be a community effort. It’s not mine or anyone else’s job to fix someone’s bug.

_{Sent with GitHawk}

[ijm8710]

Totally fair. I’ll try to do some of those things.

For what it’s worth @jukben @Huddie @jsg2021 and myself have all reported it. When there’s prob 20-25 people that are consistently active here and 25% of the users are reporting the issue, I do think it’s slightly more than an isolated issue for one user. But what you said is totally reasonable so I will try to contribute to some of the items you referenced.

[ijm8710]

@Huddie @rnystrom hey, so I ended up adding another test account to githawk using the personal access tokens. I could be wrong, but from my memory, my initial account was not setup with a personal access token, but rather a normal login plus grant access portal. With the personal account token for account two, I granted full-access. The second account, I am able to fully action items without restriction that were failing every time with the primary account.

1. am I incorrectly recalling how primary accounts were granted access?
2. is there a way to adjust primary account access or must I revoke and readd (would doing so incur any loss of data anywhere, especially githawk bookmarks? —speaking of which, I wish there was a way to back those up somewhere)
3. do my findings thus far change anything for this issue for either of you?

These findings were confirmed on the Babel repo mentioned above as well

[Huddie]

You should be able to check your access level. Pretty sure we have it in settings a link to your access. Is it different from the personal token?

_{Sent with GitHawk}

[ijm8710]

Yeah @Huddie this was different. The access you refer to highlight 3 items. I enabled like 15 for the option under developer settings as I had to set it up to generate the token.

Was I accurate that the first account doesn’t need a token and was a portal #?

[Huddie]

Ya regular # I believe only has 3 access items. Private repos, access notifications, update user info.

I’d suggest:
A) Try to figure out which repos/actions were having issues and see why it wouldn’t be covered in the 3 access. This can be confirmed with option B below.
B) You could create ta bunch of personal tokens reducing what you allow to see where the issue lies... tedious

Maybe @rnystrom has a better sense of where the issue is coming from but I’d suggest keeping up the diagnostic work and pinpoint the problem.
Sorry I can’t be more helpful I’m swamped with midterms atm.

_{Sent with GitHawk}

[ijm8710]

I’ve started doing this. I removed accesses and create a new set of permission for a token. But where would I insert this new token code in githawk? As far as a I see there is no way to remove an account or add new token info for an account (issue 1)

And I do not want to sign out of test account because that says it will sign me out of all accounts and lose my bookmarks (issue 2)

I do agree with this methodology otherwise to solve the overarching item (issue 3)

[ijm8710]

Looks like it’s the public_repo permissions

Feel free to test that in the Babel repo referenced earlier

[rnystrom]

@ijm8710 thanks for this! Is there a scope were missing from the login flow? I feel like there’s something missing there but I thought we are requesting the broadest scopes possible...

https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

Atm we request user, repo, and notification

https://github.com/GitHawkApp/GitHawk/blob/master/Classes/#/#SplashViewController.swift

_{Sent with GitHawk}

[Huddie]

public_repo is under repo. @ijm8710 what makes it seem like public_repo is the issue? Removing public_repo would def. result in an issue in-app but doesn’t mean it’s what’s causing the problem.
Maybe try removing only the scopes we don’t request and see from those.

_{Sent with GitHawk}

[ijm8710]

@Huddie @rnystrom completely see where you guys are coming from and how the code lists user, repo and notification. And how public_repo is a sub-asset of public. But in doing my diagnosis myself, that is exactly what I did. I created 10-15 different tokens adding and removing different permissions and confidently diagnosed that public_repo is the issue and that just having that permission solves the issue I see and removing it repro’s the issue identically.

I’m guessing perhaps maybe the line item code that includes the general permissions granted might need to be slightly tweaked. Perhaps the fact that it references private affects it? I’m not sure but what I am 99% sure about is public_repo permissions are currently not being granted.

Again, try it out. Try creating test account and using it with Babel repo with and without this permission and you should be able to replicate my findings!

Let me know if there’s anything else you need me to do on this ticket. I did mention a few items here. Basically a couple things that bug-testing this causes me to notice about the app that could be optimized. Please let me know if you feel either of them are relevant, I can individually ticket either or both of them and hopefully my diagnosis here helps spur solving the main ticket on this. Thanks.

[rnystrom]

I’m going to try to setup a script to repro this and plug in different scopes.

The big bummer is that even if we solve this, people will have to logout/# to get the new permissions...

Maybe we should prioritize selective logout next.

_{Sent with GitHawk}

[ijm8710]

Are you saying that if you repro this, only existing users will be affected by having to re-login..and new users should be good going forward assuming the permissions can be tweaked?

This brings up one of the things I referenced in my last reply. I know you try to have as little server side items as possible for user safety, but is there any workaround to retain bookmarks with a log out?

I also asked if there was a way to remove an account without fully logging out and/or adjust permissions on a logged in account.Just things I came across when testing this. (This night perhaps relate to your last line)

[rnystrom]

Ya exactly. New users would be fine.

Let’s keep the bookmarks discussion in another issue.

_{Sent with GitHawk}

[rnystrom]

Gonna do some live debugging here...

---

Trying to send a HEART to this comment on babel/babel. I'm using this GraphQL:

mutation {
  addReaction(input: {subjectId: "MDU6SXNzdWUzNzcxODQ3NTg=", content: HEART}) {
    subject {
      viewerCanReact
      id
    }
  }
}

Using a token from intercepted from the basic auth route ("# with GitHub" button) yields this result:

{
  "data": {
    "addReaction": null
  },
  "errors": [
    {
      "message": "Although you appear to have the correct authorization credentials,\nthe `babel` organization has enabled OAuth App access restrictions, meaning that data\naccess to third-parties is limited. For more information on these restrictions, including\nhow to whitelist this app, visit\nhttps://help.github.com/articles/restricting-access-to-your-organization-s-data/\n",
      "type": "FORBIDDEN",
      "path": [
        "addReaction"
      ],
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ]
    }
  ]
}

Using a Personal Access Token with repo, user, and notification scopes gives this:

{
  "data": {
    "addReaction": {
      "subject": {
        "viewerCanReact": true,
        "id": "MDU6SXNzdWUzNzcxODQ3NTg="
      }
    }
  }
}

Here's the setup in PAT config

And confirmed in the .com UI:

Now this section in the "Understanding Scopes" docs has this:

So when I send a curl to https://api.github.com/users/rnystromtest to get scopes, using the PAT I get:

X-OAuth-Scopes for PAT:

notifications, repo, user

Then w/ the intercepted token:

X-OAuth-Scopes for intercepted:

notifications, repo, user

So scopes look exactly the same.

[rnystrom]

Now let's try using the V3 API for Reactions...

We can use the create Reaction for an Issue API.

URL

POST: https://api.github.com/repos/babel/babel/issues/8971/reactions

JSON Body

{
  "content": "heart"
}

Header

Accept: application/vnd.github.squirrel-girl-preview+json

Using the PAT:

{
	"id": 31889413,
	"node_id": "MDg6UmVhY3Rpb24zMTg4OTQxMw==",
	"user": {
		"login": "rnystromtest",
		"id": 28745486,
		"node_id": "MDQ6VXNlcjI4NzQ1NDg2",
		"avatar_url": "https://avatars1.githubusercontent.com/u/28745486?v=4",
		"gravatar_id": "",
		"url": "https://api.github.com/users/rnystromtest",
		"html_url": "https://github.com/rnystromtest",
		"followers_url": "https://api.github.com/users/rnystromtest/followers",
		"following_url": "https://api.github.com/users/rnystromtest/following{/other_user}",
		"gists_url": "https://api.github.com/users/rnystromtest/gists{/gist_id}",
		"starred_url": "https://api.github.com/users/rnystromtest/starred{/owner}{/repo}",
		"subscriptions_url": "https://api.github.com/users/rnystromtest/subscriptions",
		"organizations_url": "https://api.github.com/users/rnystromtest/orgs",
		"repos_url": "https://api.github.com/users/rnystromtest/repos",
		"events_url": "https://api.github.com/users/rnystromtest/events{/privacy}",
		"received_events_url": "https://api.github.com/users/rnystromtest/received_events",
		"type": "User",
		"site_admin": false
	},
	"content": "heart",
	"created_at": "2018-11-05T00:26:15Z"
}

Wo just noticed the node_id!! Need to follow up if that's available in notifications.

And we got the reaction 👌

Now what about the normal token?

{
	"id": 31889458,
	"node_id": "MDg6UmVhY3Rpb24zMTg4OTQ1OA==",
	"user": {
		"login": "rnystrom",
		"id": 739696,
		"node_id": "MDQ6VXNlcjczOTY5Ng==",
		"avatar_url": "https://avatars2.githubusercontent.com/u/739696?v=4",
		"gravatar_id": "",
		"url": "https://api.github.com/users/rnystrom",
		"html_url": "https://github.com/rnystrom",
		"followers_url": "https://api.github.com/users/rnystrom/followers",
		"following_url": "https://api.github.com/users/rnystrom/following{/other_user}",
		"gists_url": "https://api.github.com/users/rnystrom/gists{/gist_id}",
		"starred_url": "https://api.github.com/users/rnystrom/starred{/owner}{/repo}",
		"subscriptions_url": "https://api.github.com/users/rnystrom/subscriptions",
		"organizations_url": "https://api.github.com/users/rnystrom/orgs",
		"repos_url": "https://api.github.com/users/rnystrom/repos",
		"events_url": "https://api.github.com/users/rnystrom/events{/privacy}",
		"received_events_url": "https://api.github.com/users/rnystrom/received_events",
		"type": "User",
		"site_admin": false
	},
	"content": "heart",
	"created_at": "2018-11-05T00:28:21Z"
}

Success 😕

---

Why do both tokens work on the V3 API but not the GraphQL mutation?

[ijm8710]

I feel it’s because graphql does not grant public_repo access

[rnystrom]

@ijm8710 is there something I'm missing? public_repo is a subset of repo access, so its all included.

Also see above that the scopes returned in the X-OAuth-Scopes header are exactly the same for both a PAT and normal token, but GraphQL only works for the PAT.

[ijm8710]

Perhaps what I tested means absolutely nothing, but I noticed that just having public_repo made all these fails nonexistent and vice versus. Perhaps full repo access is omitting this subpermission. I’m prob focused on the wrong thing but it just seemed a huge coincidence that that access related 1:1 with the issue itself

[rnystrom]

Let me try manually changing the auth scope in GitHawk, logging in, and using that token.

Btw filed this on the GitHub API forums.

edit: GitHub marked it as spam? Trying to figure that out...

[ijm8710]

^yeah this is what I did in my testing :) happy for you to mirror

[ijm8710]

Not sure your link works in your link

[rnystrom]

Confirmed that using using public_repo and public_repo+repo in the loginUrl for scopes doesn't change anything. Still broken. Only PAT works.

@ijm8710 did you only get it working just by using a PAT? Not normal OAuth?

[ijm8710]

Correct only PAT

[rnystrom]

Ok, ya that was known for a while to work. It's normal auth that is the issue.

[ijm8710]

Sorry ;) and yeah you might have to reset your link in the troublehsoot post