mkmarek commented on PR #5077: URL: https://github.com/apache/incubator-devlake/pull/5077#issuecomment-1534844352
There is one thing about GitHub apps that complicates all of this. I haven't really cracked how to get around that only using `SetupAuthentication` and/or `PrepareApiClient` functions in `connection.go` GitHub Apps can authenticate themselves by generating JWT from the appId and secret key. But to access any kind of repository data they need to authenticate on behalf of an app installation. (Ref: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app) To authenticate as an installation you just take the JWT and call `https://api.github.com/app/installations/INSTALLATION_ID/access_tokens`. Then you can use whatever token it returns for any other requests against the repositories that are covered by that installation. If you know the repository owner/name you can get the installation id. It's also possible to list all app installations via API call and fetch all of their tokens. In some cases, it's possible to guess what kind of installation you want just by looking at the URL being called, but that's not always the case and it's never the case with GraphQL. Luckily in all cases I've seen so far the requests are done within a scope of a single repository. Like in here: https://github.com/apache/incubator-devlake/blob/main/backend/plugins/github/impl/impl.go#L147 there is a repository name that I used to get the right installation ID. Same case for the GraphQL variant https://github.com/apache/incubator-devlake/blob/main/backend/plugins/github_graphql/impl/impl.go#L132 For the `proxy.go` I added a new path where the installation id is explicitly set, so I can get the right token. But maybe that part can be done smarter. So if I could get the information on what sort of installation should be used for the `PrepareApiClient` function that would solve my problem. I was thinking about the `SetData` and `GetData` functions that are on the ApiClientAbstract interface but I don't think I can access them before the `PrepareApiClient` function is called. An alternative way could be to create one connection per installation. So part of the UI would be a dropdown with all the installations and the user would pick one when creating/editing a connection. That would make the implementation simpler. Any hints on what would you prefer or maybe you have some additional ideas when it comes to this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
