I’ve created a GitHub app and installed it in my account, giving it access to a private repository in my account. The GitHub app has read permission to metadata.
I then generated a JWT and used it to create an installation access token, following the steps here.
I tried using this token to search for keywords in the above private repository using the GitHub search API as follows:
https://api.github.com/search/code?q=abc+in:file+repo:username/private-repo
However, this returns the following response.
{
"message": "Validation Failed",
"errors": [
{
"message": "The listed users and repositories cannot be searched either because the resources do not exist or you do not have permission to view them.",
"resource": "Search",
"field": "q",
"code": "invalid"
}
],
"documentation_url": "https://docs.github.com/v3/search/"
}
I tried using this access token to fetch the repositories for this GitHub app installation and that returned the private repo successfully in the response. I assume this means that the installation has access to the private repo and the token works as expected.
API used: https://api.github.com/installation/repositories.
Why does the search fail then?
Raised a ticket with GitHub support. Their response:
The query failed because the GitHub App does not have permission to
read the content of the private repository. The Metadata read
permission will allow you to search for repositories but does not have
sufficient scope to read the content of the repository(private).
The docs list the search API under Metadata, but it should be under Content permissions. Granting Content read permissions to the GitHub app solved the issue.
In my case the problem was the value of the "q" field. When I dropped the +repo argument I was able to search code just fine. I'm still not sure why the +repo did not work (it worked fine on the command line) but it turns out I didn't need it anyways since the repos were constrained to where the app was installed and I could also filter the results if needed.
Related
When running amplify push -y in the CLI, my project errors with this message:
["Index: 0 State: {\"deploy\":\"waitingForDeployment\"} Message: Resource is not in the state stackUpdateComplete"]
How do I resolve this error?
The "Resource is not in the state stackUpdateComplete" is the message that comes from the root CloudFormation stack associated with the Amplify App ID. The Amplify CLI is just surfacing the error message that comes from the update stack operation. This indicates that the Amplify's CloudFormation stack may have been still be in progress or stuck.
Solution 1 – “deployment-state.json”:
To fix this issue, go to the S3 bucket containing project settings and deleted the “deployment-state.json” file in root folder as this file holds the app deployment states. The bucket should end with, or contain the word “deployment”.
Solution 2 – “Requested resource not found”:
Check the status of the CloudFormation stack and see if you can notice that the stack failed because of a “Requested resource not found” error indicating that the DynamoDB table “tableID” was missing and confirm that you have deleted it (possibly accidentally). Manually create the above DynamoDB table and retry to push again.
Solution 3A - “#auth directive with 'apiKey':
If you recieve an error stating that “#auth directive with 'apiKey' provider found, but the project has no API Key authentication provider configured”. This error appears when you define a public authorisation in your GraphQL schema without specifying a provider. The public authorization specifies that everyone will be allowed to access the API, behind the scenes the API will be protected with an API Key. To be able to use the public API you must have API Key configured.
The #auth directive allows the override of the default provider for a given authorization mode. To fix the issue specify “IAM” as the provider which allows to use an "Unauthenticated Role" from Cognito Identity Pools for public access instead of an API Key.
Below is the sample code for public authorisation rule:
type Todo #model #auth(rules: [{ allow: public, provider: iam, operations: [create, read, update, delete] }]) {
id: ID!
name: String!
description: String
}
After making the above changes, you can run “amplify update api” and add a IAM auth provider, the CLI generated scoped down IAM policies for the "UnAuthenticated" role automatically.
Solution 3B - Parameters: [AuthCognitoUserPoolId] must have values:
Another issue could occur here, where the default authorization type is API Key when you run the command “amplify add api” without specifying the API type. To fix this issue, follow these steps:
Deleted the the API
Recreate a new one by specifying the “Amazon Cognito user pool” as the authorization mode
Add IAM as an additional authorization type
Re-enable #auth directive in the newly created API Schema
Run “amplify push”
Documentation:
Public Authorisation
Troubleshoot CloudFormation stack issues in my AWS Amplify project
Background
I am working on a custom theme for my WordPress site which I would like to manage from a private GitHub repo. (This theme will never be pushed into the WordPress market place) The general idea would be that I use the repo to manage the code and then once I tag a new version, the tag would trigger an update for the WordPress theme.
I have this pattern working using the following as a template:
https://github.com/krafit/wp-gitlab-updater
(Yes, I know the repo is for Gitlab and not GitHub)
Since my repo is private, I will need to generate a user token to allow the theme to be updated. And because the user token is capable of accessing all my private repos, the idea of sharing the user token with another plugin is discomforting from a security standpoint. (Meaning, I'm uncomfortable using a plugin like: https://github.com/afragen/git-updater)
Question
The problem is that GitHub has deprecated the use of access_token as a query string parameter, so all tokens must be sent over as an Authorization header.
How do I add an authorization header to the request WordPress sends to download the artifact?
What I've Tried
When I check for new tags I use the code:
protected function fetch_tags_from_repo( $git_url, $repo, $access_token ) {
$request_url = "$git_url/repos/$repo/tags?access_token=$access_token";
$args = [
"headers" => [
"Accept" => "application/vnd.github.v3+json",
"Authorization" => "token " . $access_token
]
];
$request = wp_safe_remote_get( $request_url, $args );
return $request;
}
This works without any issues. However...
During the pre_set_site_transient_update_themes hook I return an object that looks like:
$transient->response[ $theme['name'] ]['theme'] = $theme['name'];
$transient->response[ $theme['name'] ]['new_version'] = $latest_version;
$transient->response[ $theme['name'] ]['package'] = $theme_package;
The problem is, I have no way of adding an Authorization header to the transient response object. Therefore, when WP later tries to download the artifact, it fails.
Note: The $theme_package string is a URL which looks like:
$theme_package = "$git_url/repos/$repo/zipball/refs/tags/$latest_version";
Any support appreciated, thank you!
Honestly, this problem has been exhausting and enough is enough...
Answer
Eject from GitHub and use Gitlab because they still support access_token as a header. They have unlimited free private repos <5gb storage.
If you are planning to distribute the private repo with a license I recommend you not to expose your access credentials in the script.
Instead you should use the GitHub PHP API together with a SSH Key that you setup in your repo settings or a GitHub App with access permission granted on your repo.
Here is a solid SDK to start from:
https://github.com/KnpLabs/php-github-api
Alternatively as you suggested it in your answer, a third party service could be used to manage the credentials on your behalf.
Gitlab is a nice generic and low cost option but if you are looking for something dedicated to Wordpress development I recommend WP Package Editor (WP2E)
Among other things the service uses a registered GitHub App to pull the latest version from public / private GitHub repositories:
https://github.com/marketplace/wp-package-editor
This is quoted from the documentation regarding how it is implemented with GitHub:
For a script to be successfully imported to the library of repositories and later be synchronized as an installer dependency there are 4 conditions :
The GitHub App must be connected to a WP2E account
The “read-only” access to the repository must be granted to the WP2E GitHub App
The script must be a valid WP theme or plugin
The repository must have at least one “release” on GitHub
Note: In order to synchronize with the GitHub account/repo the GitHub App should be integrated via the saas panel ( not directly via the GitHub Marketplace )
I am trying to enable the Firebase authentication with the Google Auth sign-in method, but enabling it and clicking "save" shows the error "Error updating Google".
In the Google Cloud Console activity logs, it shows:
Failed:google.internal.firebase.v1.FirebaseInternalProductService.EnableGoogleSignIn
With the error message "Not found (HTTP 404): Operation failed with error code NOT_FOUND."
However, when I tried this in a new Google Cloud project, it worked perfectly. I have tried removing and recreating the Firebase Admin SDK, removing and creating a new app, and removing the OAuth credentials.
I cannot seem to find any solution to this problem other than creating a new project, but I would prefer to keep my existing project ID.
Alternatively, if there is any way to reset my GCP project or remake it with the same ID, that would also be fine.
This issue is caused by deleting the OAuth client autogenerated by Firebase by default.
To solve it, you need to first create a new OAuth 2 client ID, and set the necessary redirect URIs for your Firebase app (they should default to something like https://{PROJECT_ID}.web.app/__/auth/handler).
Then, call this API - the request should look something like this, using the client ID and client secret from the credentials generated above:
PATCH https://identitytoolkit.googleapis.com/admin/v2/projects/{PROJECT_ID}/defaultSupportedIdpConfigs/google.com
{
"name": "projects/{PROJECT_ID}/defaultSupportedIdpConfigs/google.com",
"enabled": true,
"clientId": "{YOUR_CLIENT_ID}",
"clientSecret": "{YOUR_CLIENT_SECRET}"
}
After making this API call, the Google authentication provider should be enabled.
Before to begin, you must have created a new oaut-credentian gcp console, because is tha main problem here.
You nee create a new oauth provider, you can use the next link to authenticate a try the request using data like next:
Parent: projects/**put here your project number**
idpId (identity provider): google.com
Request Body
{
"name": "projects/**put here your project number**/defaultSupportedIdpConfigs/google.com",
"enabled": true,
"clientId": "**put here your client id**",
"clientSecret": "**put here your client secret**"
}
I'm trying to integrate jira with firebase by this guide https://support.google.com/firebase/answer/9118259?hl=en but I'm unable to setup the integration.
Entered jira project URL as https://[workspace-name].atlassian.net/projects/[project-key]
Entered email
Entered JIRA token
Click on Verify & Save
Progress appears and nothing. I checked chrome console and I see failed request to https://firebaseextensions-pa.clients6.google.com/v1/service_provider_values
Request body contains data from form (url, email, token). Response is
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
Any thoughts?
So I contacted Firebase support and we found that the reason is required/mandatory fields of 'Bug' issue at my Jira project. Firebase will provide only summary and description of issue so if you have additional required filed like Environment or custom field then firebase will not setup integration with Jira.
"Unfortunately, if you have a custom field that's marked as required or mandatory, we won't be able to fill it on your behalf."
TLDR;
You have 2 options to get rid of this Error.
Make all the items/custom items in your JIRA Project's 'Bug' Issue Optional (https://community.atlassian.com/t5/Jira-questions/Making-Custom-field-required-and-optional/qaq-p/1974194).
Setup Automation to provide default values for Mandatory Fields(https://support.atlassian.com/jira-cloud-administration/docs/configure-a-custom-field/).
I am following the following Google Cloud Vision quickstart:
https://cloud.google.com/vision/docs/quickstart
This is using the API Explorer, and I get
Error Opening File
I have created a bucket named vision2018, and checked Share Publicly for the file.
My portion of the request related to the file is:
"image":
{
"source":
{
"imageUri":"gs://vision2018/demo-image.jpg"
}
}
The response I get is:
{
"responses": [
{
"error": {
"code": 5,
"message": "Error opening file: gs://vision2018/demo-image.jpg\"."
}
}
]
}
}
What do I need to specify in order to access files in my GCP storage?
Alternatively, I read other Stack Overflows that talk about GOOGLE_APPLICATION_CREDENTIALS, Simple API Key, and "Create Service account key and download the key in JSON format", ... but these seem to be giving commands in the shell, which this quickstart doesn't even open.
Is there initial setup assumed prior to the quickstart?
I am not ready to call the api from code
You might want to doublecheck your request. I went to the quickstart, replaced the placeholder imageUri with gs://vision2018/demo-image.jpg and it worked just fine. The error message you posted is what would be displayed if you had given gs://vision2018/demo-image.jpg\" instead.
Regarding the second part of your question: these are authentication methods. In this particular case, under Authentication you will find a drop down which lets you chose between API key and Google OAuth 2.0. If you chose the former, you don't need to do anything as a demo key will be used just for the purposes of the quickstart. If you chose OAuth 2.0, a popup will appear prompting you to authenticate with a google account. All in all, what you need to do is follow step-by-step the instructions given by the quickstart.
I was receiving a similar JSON response from the Google Vision API:
"error": {
"code": 7,
"message": "Error opening file: gs://bucket/file.jpg."
}
The fix was to set the GCS file's permission to public-read:
gsutil acl set public-read gs://bucket/file.jpg
Finally I investigated what happened. The problem is that your API token is only grant for process the image (allow right to use OCR engine), but that API is not also for accessing object in GS.
Therefore "message": "Error opening file:
The problem is similar with this post:Authorize Google Cloud Vision API to Google Storage image Maybe the error message is a bit dumb than many years ago.
The solution also mentioned in the answer section, but if you want some thing more clear (expose security side-effect) here it is: Set GCS read-only public
Reason I want to keep using API because it's better for use it in mobile application, we cannot give the OAuth2.0 to any phone. However, still find a way to secure the read-public bucket.