Expose authenticated GH client instance as app property

[shaftoe]

Feature Request

Is your feature request related to a problem? Please describe.

I'd like to interact with GitHub from one of the HTTP routes exposed, e.g. open a new pull request when a POST is sent to the POST /new route.

Maybe it's already possible at the moment but the documentation I've found only talks about context.github which seems to be available only inside an Event (i.e. only for webhooks).

I see exists an undocumented app.auth() method that's supposed to return a client to "Authenticate and get a GitHub client that can be used to make API calls.", so I'm trying to make use of it but I can't make it work. For example, with this as app code:

 router.post('/new', async (req, res, next) => {
    const client = await app.auth(Number(process.env.APP_ID), app.log)
    client.git
        .getRef({
            owner: "shaftoe",
            repo: "personal-website",
            ref: "heads/master",
        })
        .then(response => {
            app.log.error("response:" + response)
            res.send(response)
        })
        .catch(error => {
            app.log.error("error:" + error)
            res.send(error)
        })
})

I receive this error: "ERROR (app): error:Error: secretOrPrivateKey must have a value" but I don't see any way for setting that right.

Describe the solution you'd like

It would be great to have an easy way to get an authenticated octokit instance, for example available as an app property, like app.octokit or app.github, or with app.auth() but without the need to provide any argument.

[gr2m]

app.auth(id) will return an octokit client with installation authentication. The id needs to be an installation ID, not the app ID. app.auth() will give you the global instance with app authentication, which you can use to iterate through installations and you can use to create new installation access tokens.

[shaftoe]

Thanks I'm looking into it.

PS looks like Probot v10.1.0 is using v18 of rest.js under the hood.

It's using v17, because v9 used v16.

Uh, than something might be off with my environment, I've noticed that because I saw a deprecation for octokit.apps.createInstallationToken that in v18 has been renamed into createInstallationAccessToken

[gr2m]

The deprecation message is part of v17, in v18 the octokit.apps.createInstallationToken no longer exists and you'd just get an error. By upgrading to v17 first you'll get these deprecation messages which will help you upgrade. If you address all deprecation messages the upgrade to Probot v11 should be very smooth. I generally aim to only remove previously deprecated APIs as part of breaking releases

[shaftoe]

Ah, right, thanks for the explanation, it makes total sense now

[gr2m]

Instead of

const installations = await client.apps.listInstallations()

Do

const installations = await client.paginate(client.apps.listInstallations)

Some of the endpoints that paginate do not return an array in response.data, but e.g. in response.data.items. .paginate() normalizes these responses.

But in this case it makes no difference, I just wanted to let you know about it to save you some headache in future :)

I was able to reproduce the secretOrPrivateKey must have a value error, thanks!

[shaftoe]

But in this case it makes no difference, I just wanted to let you know about it to save you some headache in future :)

Fixing now. Appreciated!

I was able to reproduce the secretOrPrivateKey must have a value error, thanks!

Thank you for taking care!

[shaftoe]

Meanwhile I've worked around this following your recommendation here: #1324 (comment). The following seems to work ok:

const token = await client.apps.createInstallationAccessToken({installation_id})
const { ProbotOctokit } = require("probot")
const client = new ProbotOctokit({
    auth: "token " + token.data.token,
    log: app.log.child({ name: "my-github" }),
})
client.git.getRef({
    owner: "shaftoe",
    repo: "personal-website",
    ref: "heads/master"
})

[manuartero]

Want to add my 2 cents here, thanks to gathering info from this discussion I think I have a "ready-to-copy" code

module.exports = ({ app, getRouter }) => {
  ...
  router.post("/foo", async (req, res) => {
    const octokit = await getAuthenticatedGithubClient(app); 
    ...
  });
};

const getAuthenticatedGithubClient = async (app) => {
  const findOurInstallationId = (installations) => {
    const { id } = installations.find(({ app_id }) => app_id === /*APP_ID*/); // read from .env
    return id;
  };

  const client = await app.auth();
  const installations = await client.paginate(client.apps.listInstallations);
  const authenticatedClient = await app.auth(findOurInstallationId(installations));
  return authenticatedClient;
};

Am I missing something? is there a better/easier way to do this?

Hope this helps someone :)

[gr2m]

    const { id } = installations.find(({ app_id }) => app_id === /*APP_ID*/); // read from .env

unless I miss something, the app_id is always the current app's ID, because the endpoint lists only its own installations. So I'm not quite sure what you are trying to achieve here?

The authenticated client that you receive is authenticated for the first installation, and will only be able to access repositories belonging to that first installation