No permission to list issues/comments for github app

community-help

#1

My github app is authorized to read/write issues (and comments). With my app I’m able to create comments and create issues, but when I try to list the issue created or its comments using the endpoint repos/:owner/:repo/issues/:number/comments I get a permission error

{
  "documentation_url": "https://developer.github.com/v3", 
  "message": "Issue not viewable by vogxn"
}

Here’s what the installations permissions show

    {
      "access_tokens_url": "https://api.github.com/installations/29259/access_tokens", 
      "account": {
        ...
      }, 
      "app_id": 2392, 
      "created_at": "2017-05-30T11:51:17+05:30", 
      "events": [
        ...
      ], 
      "html_url": "https://github.com/settings/installations/29259", 
      "id": 29259, 
      "integration_id": 2392, 
      "permissions": {
        "issues": "write", 
        "metadata": "read"
      }, 
      "repositories_url": "https://api.github.com/installation/repositories", 
      "single_file_name": null, 
      "target_id": 1272270, 
      "target_type": "User", 
      "updated_at": "2017-06-01T15:57:59+05:30"
    }

#2

Hi @vogxn – could you please send us the full output of a curl -v request (http://curl.haxx.se/) that clearly demonstrates the behavior you described? We’re interested in seeing the full HTTP request and response objects for that API call, including all headers and bodies (that’s what the -v flag does). That should help us investigate and provide advice. Just make sure you mask sensitive information like authentication credentials in the output of the curl command.


#3

Here’s the curl command for the above request.

curl -L -v -H "Accept: application/vnd.github.machine-man-preview+json" -H "Authorization: token 8a8828eeVERYVERYSECRETc864329b6446e" https://api.github.com/repos/vogxn/vogxn.github.io/issues/7/comments
*   Trying 192.30.253.117...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> GET /repos/vogxn/vogxn.github.io/issues/7/comments HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Accept: application/vnd.github.machine-man-preview+json
> Authorization: token 8a8828VERYVERYSECRET7c864329b6446e
>
< HTTP/1.1 403 Forbidden
< Server: GitHub.com
< Date: Sun, 04 Jun 2017 07:58:42 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 105
< Status: 403 Forbidden
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4994
< X-RateLimit-Reset: 1496566141
< X-OAuth-Scopes:
< X-Accepted-OAuth-Scopes: public_repo, repo
< X-OAuth-Client-Id: Iv1.7ed784ff75a2d6cf
< X-GitHub-Media-Type: github.machine-man-preview; format=json
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< X-Runtime-rack: 0.025984
< X-GitHub-Request-Id: C74F:2E0FB:AE3E7A3:D3C9937:5933BDB1
<
{
  "message": "Issue not viewable by vogxn",
  "documentation_url": "https://developer.github.com/v3"
}
* Curl_http_done: called premature == 0
* Connection #0 to host api.github.com left intact

I can do a plain GET without the auth token just fine.

➜  ~ curl -L -v https://api.github.com/repos/vogxn/vogxn.github.io/issues/7/comments
*   Trying 192.30.253.117...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> GET /repos/vogxn/vogxn.github.io/issues/7/comments HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: GitHub.com
< Date: Sun, 04 Jun 2017 08:00:46 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 21117
< Status: 200 OK
< X-RateLimit-Limit: 60
< X-RateLimit-Remaining: 58
< X-RateLimit-Reset: 1496566229
< Cache-Control: public, max-age=60, s-maxage=60
< Vary: Accept
< ETag: "5d60f0835949af61617c3a3060567c9c"
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< X-Runtime-rack: 0.036242
< Vary: Accept-Encoding
< X-Served-By: 139317cebd6caf9cd03889139437f00b
< X-GitHub-Request-Id: C949:2E0FB:AE44647:D3D0AE4:5933BE2D
<
[
  {
    "url": "https://api.github.com/repos/vogxn/vogxn.github.io/issues/comments/305451531",
    "html_url": "https://github.com/vogxn/vogxn.github.io/issues/7#issuecomment-305451531",
    "issue_url": "https://api.github.com/repos/vogxn/vogxn.github.io/issues/7",
    "id": 305451531,
SNIPPED

#4

Thanks for those outputs, @vogxn – that indeed seems strange. For a publicly available resource – I’d expect fetching it would be allowed to anyone. I’ll open an internal issue and ask the team to take a closer look and we’ll followup as soon as there’s any news.


#5

@vogxn After discussing this with the team, I wanted to follow up with some news.

The behavior you observed was indeed expected in the sense that there’s a limited set of API endpoints that you can use with a user identity token. The list of those endpoints is documented here:

https://developer.github.com/apps/building-integrations/setting-up-and-registering-github-apps/identifying-users-for-github-apps/#user-to-server-requests

In other words, given that authenticating with user identity tokens (for GitHub Apps) is a new way authenticating, we’re enabling API endpoints one-by-one to make sure we get the authentication/permission bits right. In cases where publicly available data is being fetched, this is a bit confusing since you can easily switch to a different type of authentication (or even no authentication), e.g. an installation token, and then fetch that data (and this is what you might use as a short term workaround if you hit the same problem with other endpoints). Still, it’s expected for now as the team is enabling these endpoints manually.

The endpoints for creating an issue and a comment were on that list, but the endpoint for fetching the list of comments wasn’t. The team just enabled the endpoint for fetching the list of comments so you should now be able to use that as well. If there’s anything else you’d like to see enabled so that you can continue working – let us know!

Hope this helps.


#6

Thanks @izuzak, I’m able to fetch the comments with the authorized client now. This was very helpful, thanks!


#7

Hopping in here since it seems more relevant than opening another thread. And it’s already indexed by Google! :smiley: Hope you don’t mind.

At the time of this writing, it looks like the PATCH for an issue comment is not yet enabled. In fact, you actually get the rather odd response body of Issue not viewable by username, which would seem to imply that my request was a GET request.

I’m guessing there are more complexities about editing a comment than I might imagine at first blush, but it does seem odd that a user can’t edit their own comment.

In the meantime, should I instead dive into a separate OAuth integration for that user to make the comment editing possible? This would seem to mean that I would need two separate API paths – one via a GitHub App, the other via an OAuth App. Or should I instead have issue comment edits be done by the integration itself, and not on behalf of a user?

Thanks in advance!

Edit: I’m also guessing this is going to be a problem for editing an issue, as well. I’ll be running up against a similar wall with that endpoint, too.


#8

Hi @JoshSmith :wave:

Hopping in here since it seems more relevant than opening another thread. And it’s already indexed by Google! :smiley: Hope you don’t mind.

Actually, could you please start separate threads for separate issues/problems/reports? Re-using the same thread for different things makes it harder for us to track. You seem to have a question about editing issue comments, and this thread started with a discussion on listing comments.

I’m guessing there are more complexities about editing a comment than I might imagine at first blush, but it does seem odd that a user can’t edit their own comment.

Indeed it is odd, but the reason why that’s so is in my previous comment on this thread: No permission to list issues/comments for github app. TL;DR: individual endpoints need to be enabled GitHub Apps or the user-to-server authentication in order to work.

In the meantime, should I instead dive into a separate OAuth integration for that user to make the comment editing possible? This would seem to mean that I would need two separate API paths – one via a GitHub App, the other via an OAuth App.

That’s up to you to decide. It’s our goal to enable any API endpoint for GitHub Apps and the user-to-server authentication if it’s possible and makes sense. I think what you’re asking for makes sense and I’ll ask the team to look into that. But I can’t promise when it might happen.

Or should I instead have issue comment edits be done by the integration itself, and not on behalf of a user?

Again, up to you to decide based on your specific use case and goals. Performing an action on behalf of a user is different from performing it as an integration. You can, for example, create a comment as an App, or you can create it on behalf of a user. A comment is created in both cases, but obviously those are not the same.

Thanks again for the feedback!