Accessing public pull request data using GitHub App

While moving an OAuth app to a GitHub app, I noticed that some data that is accessible publicly (i.e. without an access token) is not available to users that authenticated with a GitHub app if that app is not installed to the repository in question.

For example, hitting

GET https://api.github.com/repos/octocat/Spoon-Knife/pulls

without an access token works fine, but using an access token returned from 

https://github.com/login/oauth/access_token gives the following response:

Status: 403 Forbidden

{
    "documentation_url": "https://developer.github.com/v3/pulls/#list-pull-requests",
    "message": "Resource not accessible by integration"
}

Is this intentional?

1 Like

Hi @tcdoors,

Thank you for being here! Could you please send us the full output of a curl -v request that demonstrates the problem?

http://curl.haxx.se/

That should help us investigate the issue. Also, please make sure you mask any sensitive information like OAuth tokens and Authorization headers in the output of the curl command. Please send the output to https://github.com/contact. And include a link to this thread to give support some background on the ticket.

I hope this helps!

Best,

Andrea

Hi Andrea,

Thanks for the reply. I’ve forwarded the below information to https://github.com/contact, but copying here as well:

Prerequisites: 

Steps to reproduce:

1. Accessing the “Get a single repository” endpoint for a public repository works as expected, even if the GitHub app is not installed to that repository:

  

$ curl https://api.github.com/repos/octocat/Spoon-Knife -H "Content-Type: application/json" -H "Authorization: bearer $GITHUB_ACCESS_TOKEN" -I
HTTP/1.1 200 OK
  1. However, accessing “List pull requests” endpoint for this repository fails:

  

$ curl https://api.github.com/repos/octocat/Spoon-Knife/pulls -H "Content-Type: application/json" -H "Authorization: bearer $GITHUB_ACCESS_TOKEN" -I
HTTP/1.1 403 Forbidden
  1. An identical request without authentication completes successfully:

    $ curl https://api.github.com/repos/octocat/Spoon-Knife/pulls -H “Content-Type: application/json” -I
    HTTP/1.1 200 OK

Using an OAuth App (instead of a GitHub App) works as expected.

2 Likes

Was there any resolution to this issue? I’m experiencing a similar problem (with commit data instead of pull request data) and I’m not sure how to go about it.

2 Likes