"Resource not accessible by integration" inconsistently, should be accessible


#1

Hi there,

I have a huge query which I need to break down and optimise. While testing a few things, I noticed what appears to be a bug.

Running the query below, I can retrieve pull request reviews without any issues (as I was expecting given the permissions of my integration):

const query = `query {
  repository(owner: "some owner", name: "some repo") {
    pullRequests(first: 1) {
      edges {
        node {
          reviews(first: 1) {
            edges {
              node {
                url
              }
            }
          }
        }
      }
    }
  }
}`;

(Sorry about the indentation, markdown seems to render differently in this forum).

However, with the exact same request for review data in my large query, I get an error of type UNAUTHORIZED stating Resource not accessible by integration. The query works fine when no review data is requested.

I’m new to GraphQL and the v4 API so I might be missing something, but that doesn’t seem to be the expected behaviour.

Thanks for your help
Nick


#2

Hey there @nomeyer!

Can you describe how you’re authenticating [1] when you submit that request? If you’re using an OAuth token to authenticate, can you clarify which user created the token and which scopes [2] are attached to it?

If you could send us the full output of a curl -v request [3] that demonstrates the problem, that should help us investigate. Just please make sure you mask any sensitive information like OAuth tokens and Authorization headers in the output of the curl command.

[1] http://developer.github.com/v3/#authentication
[2] https://developer.github.com/v3/oauth/#scopes
[3] http://curl.haxx.se/


Strange 405 responses depending on `first` argument value & fields requested
#3

Thanks for your reply @francisfuzz.

I should’ve mentioned this in my original post – I’m authenticating as an integration installation.

The integration_id is 2195. Here’s a screenshot of the integration’s permissions, in case you can’t check them.

Making these requests with curl is proving to be a pain… The documentation doesn’t explain how to deal with nested quotation marks, and everything I’ve tried has failed, returning Problems parsing JSON.

How am I supposed to send this (I’m using macOS)?

{ \
  \"query\": \"query { repository(owner: \\"some owner\\", name: \\"some name\\") { createdAt } }\" \
} \
" https://api.github.com/graphql```

Happy to provide the code used (I'm using [`request-promise`](https://github.com/request/request-promise)). Escaping the large query for `curl` will be tedious, but if it's the only option I'll be able to do it provided I figure out how to escape the `repository` arguments.

Thanks for your help!

#4

Made a final attempt using curl and got it working! Downside: I had to put the whole queries on a single line, so it won’t be pretty to look at… But I trust there’s a prettyfier you can use to lay out the large query nicely.

1) Small query requesting reviews for a single PR. Successful.

Request: curl -v -H "Authorization: Bearer token" -X POST -d '{ "query": "query { repository(owner: \"Stepsize\", name: \"layer_desktop\") { pullRequests(first: 1) { edges { node { reviews(first: 1) { edges { node { url } } } } } } } }" }' https://api.github.com/graphql

Response:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.30.253.117...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> POST /graphql HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Accept: */*
> Authorization: Bearer *******
> Content-Length: 188
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 188 out of 188 bytes
< HTTP/1.1 200 OK
< Server: GitHub.com
< Date: Thu, 25 May 2017 14:27:44 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 87
< Status: 200 OK
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4991
< X-RateLimit-Reset: 1495724773
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "8899da300ef493d9a5f32646c476cbbf"
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< Vary: Accept-Encoding
< X-Served-By: 49aa99f015c25437a7443c4d3a58cd17
< X-GitHub-Request-Id: F194:6EB5:83486EC:9BD389E:5926E9E0
< 
{"data":{"repository":{"pullRequests":{"edges":[{"node":{"reviews":{"edges":[]}}}]}}}}
* Curl_http_done: called premature == 0
* Connection #0 to host api.github.com left intact

2) Large query, requesting all sorts of data including PR reviews. Unsuccessful.

Request: curl -v -H "Authorization: Bearer token" -X POST -d '{ "query": "query { repository(owner: \"Stepsize\", name: \"layer_desktop\") { createdAt defaultBranchRef { name prefix } description diskUsage hasIssuesEnabled hasWikiEnabled homepageUrl isFork isLocked isMirror isPrivate license lockReason mirrorUrl name owner { avatarUrl login url } projectsUrl pullRequests(first: 5) { edges { node { author { avatarUrl login url } baseRefName body closed comments(first: 10) { edges { node { author { avatarUrl login url } body bodyHTML createdAt } } pageInfo { endCursor hasNextPage } totalCount } commits(first: 10) { edges { node { commit { author { avatarUrl date email name user { avatarUrl login name url } } authoredByCommitter commitUrl committedDate committer { avatarUrl date email name user { avatarUrl login name url } } message messageBody messageBodyHTML messageHeadline messageHeadlineHTML oid status { contexts { context createdAt creator { avatarUrl login url } description state targetUrl } state } tree { entries { mode name object { oid } type } oid } url } url } } pageInfo { endCursor hasNextPage } totalCount } createdAt headRefName locked mergeable mergedAt number reviews(first: 5) { edges { node { author { avatarUrl login url } body bodyHTML comments(first: 10) { edges { node { author { avatarUrl login url } body bodyHTML commit { oid } createdAt diffHunk originalCommit { oid } originalPosition position url } } pageInfo { endCursor hasNextPage } totalCount } commit { oid } createdAt state url } } pageInfo { endCursor hasNextPage } totalCount } state title url } } pageInfo { endCursor hasNextPage } totalCount } url } }" }' https://api.github.com/graphql

Response:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.30.253.116...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.116) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> POST /graphql HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Accept: */*
> Authorization: Bearer ***********
> Content-Length: 1594
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Server: GitHub.com
< Date: Thu, 25 May 2017 14:31:21 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 100
< Status: 200 OK
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4989
< X-RateLimit-Reset: 1495724773
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "bac6839d91ff0145fb2859268ba8ed8c"
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< X-GitHub-Request-Id: F1AA:6EB0:2FA17FE:3894140:5926EAB7
< 
{"data":null,"errors":[{"message":"Resource not accessible by integration","type":"UNAUTHORIZED"}]}
* Curl_http_done: called premature == 0
* Connection #0 to host api.github.com left intact

3) Large query, same exact fields requested minus the reviews. Successful.

Request: curl -v -H "Authorization: Bearer token" -X POST -d '{ "query": "query { repository(owner: \"Stepsize\", name: \"layer_desktop\") { createdAt defaultBranchRef { name prefix } description diskUsage hasIssuesEnabled hasWikiEnabled homepageUrl isFork isLocked isMirror isPrivate license lockReason mirrorUrl name owner { avatarUrl login url } projectsUrl pullRequests(first: 5) { edges { node { author { avatarUrl login url } baseRefName body closed comments(first: 10) { edges { node { author { avatarUrl login url } body bodyHTML createdAt } } pageInfo { endCursor hasNextPage } totalCount } commits(first: 10) { edges { node { commit { author { avatarUrl date email name user { avatarUrl login name url } } authoredByCommitter commitUrl committedDate committer { avatarUrl date email name user { avatarUrl login name url } } message messageBody messageBodyHTML messageHeadline messageHeadlineHTML oid status { contexts { context createdAt creator { avatarUrl login url } description state targetUrl } state } tree { entries { mode name object { oid } type } oid } url } url } } pageInfo { endCursor hasNextPage } totalCount } createdAt headRefName locked mergeable mergedAt number state title url } } pageInfo { endCursor hasNextPage } totalCount } url } }" }' https://api.github.com/graphql

Response:

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 192.30.253.117...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> POST /graphql HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Accept: */*
> Authorization: Bearer ********
> Content-Length: 1206
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Server: GitHub.com
< Date: Thu, 25 May 2017 14:32:33 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 126719
< Status: 200 OK
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4988
< X-RateLimit-Reset: 1495724773
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "e55a98c410b2ba6f3ff5f50322ce3dc3"
< X-GitHub-Media-Type: github.v3; format=json
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< Vary: Accept-Encoding
< X-Served-By: b535085e7f4d6e3423e016e684de0829
< X-GitHub-Request-Id: F1B0:6EB4:851AD97:9DFDD9D:5926EAFF
< 
{"data":{"repository": ......

The 3 requests were made using the same integration installation OAuth token.


#5

Hi @nomeyer, thanks for sharing these notes with us! I find them really valuable and I think others using integration installations will find this helpful as well. Please let me know if you have any other questions!


#6

Hey, it seems this also linked somehow to the properties of the repo being queried, not just the content of the query itself.

I tried the same query on different repos and it worked for some of them but not others.

Hope that helps, and hope this will be resolved soon. Let me know if I can help in any other way.

Thanks


Connection to PullRequestReviewComment on PullRequest
Bug in rate limit calculation for issue labels – excessive points consumed