C
Coder.com•2w ago
Diranged

How to use External Auth to pull down Github NPM packages?

HI! I'm experimenting with Coder right now how it hooks up with Github. I've got it connected into Github for user-authentication, as well as configured for external auth. We can spin up a workspace that checks out code using the github_token returned by the auth, and we've verified that the token then has access to other repositories that the user has access to. So far so good. Where we're struggling now is using the same token to access Github's package repository (NPM). Here's what we've done so far: 1. Made sure the Github App has read:packages permissions. 2. Set the CODER_EXTERNAL_AUTH_0_SCOPES environment variable to repo workflow admin:public_key read:packages (note, also tried with commas). 3. Verified that the scopes look good in https://... our endpoint/api/v2/deployment/config 
    "external_auth": [
      {
        "type": "github",
        "client_id": "...",
        "id": "github",
        "auth_url": "",
        "token_url": "",
        "validate_url": "",
        "app_install_url": "",
        "app_installations_url": "",
        "no_refresh": false,
        "scopes": [
          "repo",
          "workflow",
          "admin:public_key",
          "read:packages"
        ],
        "device_flow": false,
        "device_code_url": "",
        "regex": "github\\.com....",
        "display_name": "",
        "display_icon": ""
      }
    ],
    "external_auth": [
      {
        "type": "github",
        "client_id": "...",
        "id": "github",
        "auth_url": "",
        "token_url": "",
        "validate_url": "",
        "app_install_url": "",
        "app_installations_url": "",
        "no_refresh": false,
        "scopes": [
          "repo",
          "workflow",
          "admin:public_key",
          "read:packages"
        ],
        "device_flow": false,
        "device_code_url": "",
        "regex": "github\\.com....",
        "display_name": "",
        "display_icon": ""
      }
    ],
4. Set up the ~/.npmrc file: 
//npm.pkg.github.com/:_authToken=ghu_xxx
@org:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=ghu_xxx
@org:registry=https://npm.pkg.github.com/
When the workspace boots up and we try to log in: 
error Error: https://npm.pkg.github.com/download/@org/<package>...0.2.19/e33c0bcabfc7e22864697a411d80b585719e1fae: Request failed "403 Forbidden"
error Error: https://npm.pkg.github.com/download/@org/<package>...0.2.19/e33c0bcabfc7e22864697a411d80b585719e1fae: Request failed "403 Forbidden"
When I check the Github Security Logs, it always lists token_scopes as empty for the tokens being generated... is there something else we need to do, or a bug?
8 Replies
Codercord
Codercord•2w ago
<#1360813680874360972>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Atif
Atif•6d ago
What happens if you manually do npm login And use the token provided by coder external-auth access-token github ?
Phorcys
Phorcys•4d ago
@Diranged
Diranged
DirangedOP•4d ago
After digging for a while - and talking to Github - I discovered that the ONLY tokens that are allowed to make calls to their NPM service are PATs. Nothing else. No Github-App generated tokens. 😦
Phorcys
Phorcys•4d ago
are you maybe able to create a PAT from that app token?
Diranged
DirangedOP•4d ago
No - you cannot. 😦 Github simply doesn't support it... pretty terrible to be honest.
Phorcys
Phorcys•15h ago
that kinda sucks
Codercord
Codercord•15h ago
@Phorcys closed the thread.

Did you find this page helpful?