We currently only recognize the deprecated routes:

see the new routes at https://developer.github.com/v3/apps/oauth_applications/#check-a-token

When using with Octokit, the request strategy option will be set to octokit.request. octokit.request has also the hook from auth.hook.

When doing octokit.auth({ type: 'token', code }), the request to exchange the code for a token would be sent twice, because of auth.hook. That should not happen.

Description

Node v10 has been deprecated so there is no need to keep giving support to it in our CI.

Context

You can find more details here

When making requests against endpoints that don't require authentication, I still want to use basic auth to avoid being rate-limited (strategy documented here). When using Postman I can successfully make a request to "GET /repos/{owner}/{repo}" with basic authentication and observe that the X-RateLimit-Limit header reflects the authentication (I see higher rate limits in the headers). However, when using Octokit I get this error:

Error: [@octokit/auth-oauth-app] "GET /repos/{owner}/{repo}" does not support clientId/clientSecret basic authentication. Use @octokit/auth-oauth-user instead.

I assume this error is in place to prevent users from trying to access a private repository without being authenticated as an oauth user, however, I believe it should still be valid to make a request using basic auth as an oauth app against a public repository.

Example code snippet, with id/secret removed:

import { createOAuthAppAuth } from "@octokit/auth-oauth-app";

const octokit = new Octokit({
    authStrategy: createOAuthAppAuth,
    auth: {
        clientId: "...",
        clientSecret: "...",
    },
})

const repoResult = await octokit.repos.get({ owner, repo });

The devDependency fetch-mock was updated from 7.5.0 to 7.5.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

fetch-mock is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Missing package.json file.

A package.json file at the root of your project is required to release on npm.

Please follow the npm guideline to create a valid package.json file.

Good luck with your project ✨

Your semantic-release bot 📦🚀

The devDependency semantic-release was updated from 17.0.2 to 17.0.3.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

semantic-release is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: package.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: @pika/pack, Invalid configuration option: author, Invalid configuration option: jest, Invalid configuration option: keywords, Invalid configuration option: license, Invalid configuration option: name, Invalid configuration option: packageRules[0].@octokit/auth-oauth-device, Invalid configuration option: packageRules[0].@octokit/auth-oauth-user, Invalid configuration option: packageRules[0].@octokit/request, Invalid configuration option: packageRules[0].@octokit/types, Invalid configuration option: packageRules[0].@types/btoa-lite, Invalid configuration option: packageRules[0].btoa-lite, Invalid configuration option: packageRules[0].universal-user-agent, Invalid configuration option: packageRules[1].@octokit/core, Invalid configuration option: packageRules[1].@pika/pack, Invalid configuration option: packageRules[1].@pika/plugin-build-node, Invalid configuration option: packageRules[1].@pika/plugin-build-web, Invalid configuration option: packageRules[1].@pika/plugin-ts-standard-pkg, Invalid configuration option: packageRules[1].@types/fetch-mock, Invalid configuration option: packageRules[1].@types/jest, Invalid configuration option: packageRules[1].fetch-mock, Invalid configuration option: packageRules[1].jest, Invalid configuration option: packageRules[1].prettier, Invalid configuration option: packageRules[1].semantic-release, Invalid configuration option: packageRules[1].semantic-release-plugin-update-version-in-files, Invalid configuration option: packageRules[1].ts-jest, Invalid configuration option: packageRules[1].typescript, Invalid configuration option: publishConfig, Invalid configuration option: release, Invalid configuration option: renovate, Invalid configuration option: scripts, Invalid configuration option: version

It is not clear how to use authStrategy.

import {
  Octokit,
} from '@octokit/rest';
import {
  createOAuthAppAuth,
} from '@octokit/auth';

const octokit = new Octokit({
  auth: {
    clientId: githubOauthApp.clientId,
    clientSecret: githubOauthApp.clientSecret,
  },
  authStrategy: createOAuthAppAuth,
});

const stargazerInterator = await octokit
  .paginate
  .iterator(
    octokit.activity
      .listStargazersForRepo.endpoint.merge({
        owner: 'gajus',
        repo: 'roarr',
      }),
  );

The code passed is incorrect or expired. (bad_verification_code)

It works without authStrategy but gives deprecation warning:

import {
  Octokit,
} from '@octokit/rest';
import {
  createOAuthAppAuth,
} from '@octokit/auth';

const octokit = new Octokit({
  auth: {
    clientId: githubOauthApp.clientId,
    clientSecret: githubOauthApp.clientSecret,
  },
});

const stargazerInterator = await octokit
  .paginate
  .iterator(
    octokit.activity
      .listStargazersForRepo.endpoint.merge({
        owner: 'gajus',
        repo: 'roarr',
      }),
  );

What happened?

What did I do:
I'm trying to import and use @octokit/auth-oauth-app to handle Github user authentication in an AWS Lambda function.

What happened:
I was able to trigger the lambda function but got the following error message: No \"exports\" main defined in /var/task/node_modules/@octokit/auth-oauth-app/package.json

What did I expect:
I was expecting to be able to trigger the lambda, successfully authenticate and perform other actions using the access_token I'd have received from the authentication.

Versions

Octokit version: 8.0.2

Node version: 18.17

Relevant log output

{
    "errorType": "Error",
    "errorMessage": "No \"exports\" main defined in /var/task/node_modules/@octokit/auth-oauth-app/package.json",
    "code": "ERR_PACKAGE_PATH_NOT_EXPORTED",
    "stack": [
        "Error [ERR_PACKAGE_PATH_NOT_EXPORTED]: No \"exports\" main defined in /var/task/node_modules/@octokit/auth-oauth-app/package.json",
        "    at new NodeError (node:internal/errors:405:5)",
        "    at exportsNotFound (node:internal/modules/esm/resolve:371:10)",
        "    at packageExportsResolve (node:internal/modules/esm/resolve:661:13)",
        "    at resolveExports (node:internal/modules/cjs/loader:584:36)",
        "    at Module._findPath (node:internal/modules/cjs/loader:658:31)",
        "    at Module._resolveFilename (node:internal/modules/cjs/loader:1120:27)",
        "    at Module._load (node:internal/modules/cjs/loader:975:27)",
        "    at Module.require (node:internal/modules/cjs/loader:1225:19)",
        "    at require (node:internal/modules/helpers:177:18)",
        "    at Object.<anonymous> (/var/task/lib/application/utilitiesService/handler/utilities.js:29:26)"
    ]
}

Code of Conduct

• I agree to follow this project's Code of Conduct

So, I'm wanting to plug this into my Express service, and I am not super clear on how this all works.

I have my app clientID & Secret, and I am running against GHE, and I need to use repo scope.

So, I assume I'd make a middleware like

const express = require('express');
const { createOAuthAppAuth } = require("@octokit/auth-oauth-app");

function gitAuth(req, res, next) {
    // what do I do here?
}

const app = express();
app.get("/something", gitAuth, (req, resp) => {
    // do something here...
});

ultimately I am looking to be get a user's auth token (I see how to get that from the access token), so that I can do octkit/rest calls as that user.

help?

Follow up to octokit/request.js#83

https://github.com/login/oauth/access_token is not part of the REST API so it does not know what to do with the accept: 'application/vnd.github.v3+json' header which @octokit/requestsets by default.

When making requests against endpoints that don't require authentication, I still want to use basic auth to avoid being rate-limited (strategy documented here). When using Postman I can successfully make a request to "GET /repos/{owner}/{repo}" with basic authentication and observe that the X-RateLimit-Limit reflect the authentication (I see higher rate limits in the headers). However, when using Octokit I get this error:

Error: [@octokit/auth-oauth-app] "GET /repos/{owner}/{repo}" does not support clientId/clientSecret basic authentication. Use @octokit/auth-oauth-user instead.

I assume this error is in place to prevent users from trying to access a private repository without being authenticated as an oauth user, however, I believe it should still be valid to make a request using basic auth as an oauth app against a public repository.

Example code snippet, with id/secret removed:

import { createOAuthAppAuth } from "@octokit/auth-oauth-app";

const octokit = new Octokit({
    authStrategy: createOAuthAppAuth,
    auth: {
        clientId: "...",
        clientSecret: "...",
    },
})

const repoResult = await octokit.repos.get({ owner, repo });

We now have https://github.com/octokit/auth-oauth-user.js/ which covers all the various use cases around creating / checking / resetting / refreshing / invalidating OAuth user access tokens

auth({ type: "token" }) should be changed to auth({ type: "oauth" }) as discussed in octokit/oauth-app.js#198, it should accept the same additional options as @octokit/auth-oauth-user

And the clientType strategy option needs to be added, it should default to "oauth-app", just like in @octokit/auth-oauth-user

I am attempting to create a sketch, below, of the OAuth token verification process based on the README. When I run the sketch, however, I get the following error message. Am I doing something wrong, or is there an error in the README?

Error: [@octokit/auth-oauth-app] "POST /application/{client_id}/token" does not support clientId/clientSecret basic authentication. Use @octokit/auth-oauth-user instead.
    at hook (/home/kit/work/sketches/js/github-app/node_modules/@octokit/auth-oauth-app/dist-node/index.js:141:11)
    at /home/kit/work/sketches/js/github-app/node_modules/before-after-hook/lib/register.js:25:15
    at processTicksAndRejections (node:internal/process/task_queues:94:5)
    at async /home/kit/work/sketches/js/github-app/verify-token.js:25:5

Code:

const { Octokit } = require("@octokit/core");
const {
  createOAuthAppAuth,
  createOAuthUserAuth,
} = require("@octokit/auth-oauth-app");

// These are placeholder values, not the actual values I'm using
const clientId: "1234567890abcdef1234"; 
const clientSecret: "1234567890abcdef1234567890abcdef12345678";

const token = process.argv[2];
if (!token) {
  console.error('No token supplied');
  process.exit(-1);
}

(async function() {
    const octokit = new Octokit({
      authStrategy: createOAuthAppAuth,
      auth: {
        clientId,
        clientSecret,
      },
  });

  await octokit.request('POST /application/{client_id}/token', {
    client_id: clientId,
    access_token: token
  })
  console.log('Token is OK')
}())

Example response if the code is incorrect or expired. The server returns a 200 status, not a 4xx as expected

{ status: 200,
  url: 'https://github.com/login/oauth/access_token',
  headers:
   { 'cache-control': 'max-age=0, private, must-revalidate',
     connection: 'close',
     'content-encoding': 'gzip',
     'content-security-policy':
      'default-src \'none\'; base-uri \'self\'; block-all-mixed-content; connect-src \'self\' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action \'self\' github.com gist.github.com; frame-ancestors \'none\'; frame-src render.githubusercontent.com; img-src \'self\' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src \'self\'; media-src \'none\'; script-src github.githubassets.com; style-src \'unsafe-inline\' github.githubassets.com',
     'content-type': 'application/json; charset=utf-8',
     date: 'Fri, 23 Aug 2019 22:08:43 GMT',
     etag: 'W/"bf34d08d1e40ca8bd326d0522290fea5"',
     'expect-ct':
      'max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"',
     'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
     server: 'GitHub.com',
     'set-cookie':
      'has_recent_activity=1; path=/; expires=Fri, 23 Aug 2019 23:08:43 -0000, ignored_unsupported_browser_notice=false; path=/',
     status: '200 OK',
     'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
     'transfer-encoding': 'chunked',
     vary: 'X-PJAX, Accept-Encoding',
     'x-content-type-options': 'nosniff',
     'x-frame-options': 'deny',
     'x-github-request-id': '4817:220B:FBD3E:17D106:5D6063EA',
     'x-request-id': '392b8d76-ddc6-4395-b8df-45648d4b8537',
     'x-xss-protection': '1; mode=block' },
  data:
   { error: 'bad_verification_code',
     error_description: 'The code passed is incorrect or expired.',
     error_uri:
      'https://developer.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code' } }

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Cannot push to the Git repository.

semantic-release cannot push the version tag to the branch master on the remote Git repository with URL https://x-access-token:[secure]@github.com/octokit/auth-oauth-app.js.

This can be caused by:

• a misconfiguration of the repositoryUrl option
• the repository being unavailable
• or missing push permission for the user configured via the Git credentials on your CI environment

Good luck with your project ✨

Your semantic-release bot 📦🚀

That was how it worked originally, but I removed it in https://github.com/octokit/auth-oauth-app.js/releases/tag/v2.0.0 when I introduced auth.hook.

I've run into a situation where I would want to have a single auth instance that I can use to create multiple tokens for. auth.hook would just use whatever the strategy options are, but the auth() method should be able to retrieve multiple tokens.

This issue contains a list of Renovate updates and their statuses.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to ignore the schedule.

• fix(deps): lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• build(deps): update dependency jest to v26
• build(deps): update dependency ts-jest to v26
• build(deps): update dependency typescript to v4
• Check this option to rebase all the above open PRs at once

• Check this box to trigger a request for Renovate to run again on this repository

Follow up to #237

Ideally we would do a test_matrix step and then a test step that depends on test_matrix, so that for branch protections we can require test independent of the Node versions we are using.

See this for reference: https://github.com/octokit/core.js/blob/393caf31b2e802ea9be59aa84f90d64f98953fdb/.github/workflows/test.yml#L32

🚨 The automated release from the 4.x branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the 4.x branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

The release 4.3.3 on branch 4.x cannot be published as it is out of range.

Based on the releases published on other branches, only versions within the range >=4.3.2 <4.3.2 can be published from branch 4.x.

The following commit is responsible for the invalid release:

• fix: revert dependency update of @octokit/request (ca72842)

This commit should be moved to a valid branch with git merge or git cherry-pick and removed from branch 4.x with git revert or git reset.

A valid branch could be master.

See the workflow configuration documentation for more details.

Good luck with your project ✨

Your semantic-release bot 📦🚀

const auth = createOAuthAppAuth({
  clientId: githubOauthApp.clientId,
  clientSecret: githubOauthApp.clientSecret,
});

const graphqlWithAuth = graphql.defaults({
  request: {
    hook: auth.hook,
  },
});

const response = await graphqlWithAuth(`query UserQuery {
  user(login: "gajus") {
    id
  }
}`);

Produces 401 response:

{"message":"This endpoint requires you to be authenticated.","documentation_url":"https://developer.github.com/v3/#authentication"}

Expected behaviour is that I should be able to get public profile data.

Likely related to:

• #44

Is the only way to send a timeout value to send a configure request object with that value already set?

The dependency @octokit/request was updated from 5.2.1 to 5.3.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

@octokit/request is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

Hi,
Consider releasing a new version? the latest release uses [email protected] which has the following vulnerbility,

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g

$ npm ls node-fetch
└─┬ @octokit/[email protected]
  └─┬ @octokit/[email protected]
    └── [email protected]

We would like to increase our rate limit as specified here:
https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications It seems it's not deprecated right?

We used to pass clientId and clientSecret in auth but that has been deprecated in Octokit.
We tried @octokit/auth-basic and @octokit/auth-oauth-app without success as they both try to exchange with a token.

What simple solution would you recommend?

🆕🐥☝ First Timers Only.

This issue is reserved for people who never contributed to Open Source before. We know that the process of creating a pull request is the biggest barrier for new contributors. This issue is for you 💝

About First Timers Only.

🤔 What you will need to know.

The Pika CDN is now Skypack, see https://www.pika.dev/cdn. The CDN at https://cdn.pika.dev/ no longer works, all URLs must be replaced with the new CDN: https://cdn.skypack.dev/. We currently recommend using cdn.pika.dev to import the library into the browser, but that no longer works. Replacing it with cdn.skypack.dev will make it work again.

📋 Step by Step

• 🙋 Claim this issue: Comment below.

  More than one person can work on this issue, don't worry if it's already claimed.

• 📝 Update the file \README.md (press the little pen Icon) and edit as shown below:

@@ -31,11 +31,11 @@ It implements authentication using an OAuth app’s client ID and secret as well
 Browsers
 </th><td width=100%>
 
-Load `@octokit/auth-oauth-app` directly from [cdn.pika.dev](https://cdn.pika.dev)
+Load `@octokit/auth-oauth-app` directly from [cdn.skypack.dev](https://cdn.skypack.dev)
 
 ```html
 <script type="module">
-  import { createOAuthAppAuth } from "https://cdn.pika.dev/@octokit/auth-oauth-app";
+  import { createOAuthAppAuth } from "https://cdn.skypack.dev/@octokit/auth-oauth-app";
 </script>
 ```
 

• 💾 Commit your changes

• 🔀 Start a Pull Request. There are two ways how you can start a pull request:

  1. If you are familiar with the terminal or would like to learn it, here is a great tutorial on how to send a pull request using the terminal.
  2. You can edit files directly in your browser

• 🏁 Done Ask for a review :)

If there are more than one pull requests with the correct change, we will merge the first one, but attribute the change to all authors who made the same change using @Co-authored-by, so yo can be sure your contribution will count.

🤔❓ Questions

Leave a comment below!

This issue was created by First-Timers-Bot.

Hi, i believe upgrading to octokit/requests 6 dropped old Node support similar to this issue octokit/app.js#296 . Can you release a new patch version that supports the old node version when you have a chance, and release dropping node 10/12 support as a major version so that it doesn't automatically get picked up?

I can fill in some more details if this is vague, will be back online tonight/tomorrow

When a token is reset, we update the internally cached token

However, we do not check for the new route:
https://developer.github.com/v3/apps/oauth_applications/#reset-a-token