"Resource not available to integration" when trying to fetch diff as user for Github App

I have a GitHub app using a user token trying to make the following request (through octokit):

https://api.github.com/repos/hatboysam/diffmachine/compare/ss-old-code...ss-new-code

These are my headers:

Host: api.github.com
User-Agent: octokit-rest.js/18.0.0 octokit-core.js/3.0.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: application/vnd.github.machine-man-preview.diff
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:8080/pr/hatboysam/diffmachine/5
authorization: token <REDACTED>
Origin: http://localhost:8080
DNT: 1
Connection: 

I get denied with “Resource not available to integration”. Note that this API request works perfectly without the authorization token header and my GitHub App has “Read only” access to “Contents”.

What am I doing wrong?

2 Likes

:wave: hello there @hatboysam, and welcome to the GitHub Support Community!

If those branches are in a public repository, anyone (whether authenticating or not) should be able to make a request to that endpoint. If you’re still experiencing this, could you please send us the full output of a curl -v request that demonstrates the behavior?

That should help us investigate the issue. Also, please make sure you mask any sensitive information like OAuth tokens and Authorization headers in the output of the curl command.

2 Likes

@francisfuzz Here is a failing CURL request (I get 403). I got this from the Firefox inspector’s “copy as curl” from a real 403 failure so I am sure this is correct:

curl 'https://api.github.com/repos/hatboysam/diffmachine/compare/ss-old-code...ss-new-code' \
  -H 'User-Agent: octokit-rest.js/18.0.0 octokit-core.js/3.0.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0' \
  -H 'Accept: application/vnd.github.machine-man-preview.diff' \
  -H 'Accept-Language: en-US,en;q=0.5' \
  --compressed \
  -H 'Referer: http://localhost:8080/pr/hatboysam/diffmachine/5' \
  -H 'authorization: token <REDACTED>' \
  -H 'Origin: http://localhost:8080' \
  -H 'DNT: 1'  \
  -H 'Connection: keep-alive'

As you said, this works fine without the authorization header because this is a public repo however I would like my app to work for private repos as well.

@hatboysam - Thanks for sharing that curl request with us. I attempted to reproduce this behavior leveraging a GitHub App with Read + Write permission on “Contents” on an example repository. I wrote a workflow file that makes three requests: one for the compare, one for the compare’s diff specifying v3 as the version, and one for the compare’s diff specifying machine-man-preview as the version:

Given the result of the workflow run, I’m admittedly not sure why the request you shared resulted in a 403. Here are my follow-up questions:

  • Could you please share the value of the X-GitHub-Request-Id header returned in the API response when you get that 403 from the API? We can check our logs for that value and see if that gives us more insight into what’s happening.
  • Are you able to reproduce this 403 independent of octokit-rest.js by just using curl and passing in the installation token in the Authorization header? If so, could you please share the full request-response pair redacting any sensitive information (passwords, tokens, etc.)?
  • Are you able to fetch the diff for any other two branches on that repository? If so, could you please share another example of this with a 2xx response from the API?

The more information, the better. Thanks again! :bowing_man:

1 Like

@francisfuzz thanks for looking into this.

Here’s a request id from a failure just a moment ago:

F031:C7C2:15CC779:1BAB883:5F0F5B8C

I am able to reproduce this as a curl in my terminal, so I don’t think octokit is the issue here. The full request/response is below.

I want to mention that I am doing this request from a web app and therefore I am using a user token which I get from an OAuth flow on my server on behalf of my GitHub app.

curl 'https://api.github.com/repos/hatboysam/diffmachine/compare/ss-old-code...ss-new-code' -H 'User-Agent: octokit-rest.js/18.0.0 octokit-core.js/3.0.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0' -H 'Accept: application/vnd.github.machine-man-preview.diff' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://localhost:8080/pr/hatboysam/diffmachine/5' -H 'authorization: token 8682b0e225a55d03becf871e5c3fc45b67ebf22f' -H 'Origin: http://localhost:8080' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'If-Modified-Since: Wed, 10 Jun 2020 00:37:39 GMT' -H 'If-None-Match: "23910cad47d3d5533316440084960c2a"' -v
*   Trying 140.82.118.5...
* TCP_NODELAY set
* Connected to api.github.com (140.82.118.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Jun 22 00:00:00 2020 GMT
*  expire date: Aug 17 12:00:00 2022 GMT
*  subjectAltName: host "api.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
> GET /repos/hatboysam/diffmachine/compare/ss-old-code...ss-new-code HTTP/1.1
> Host: api.github.com
> Accept-Encoding: deflate, gzip
> User-Agent: octokit-rest.js/18.0.0 octokit-core.js/3.0.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
> Accept: application/vnd.github.machine-man-preview.diff
> Accept-Language: en-US,en;q=0.5
> Referer: http://localhost:8080/pr/hatboysam/diffmachine/5
> authorization: token <REDACTED>
> Origin: http://localhost:8080
> DNT: 1
> Connection: keep-alive
> If-Modified-Since: Wed, 10 Jun 2020 00:37:39 GMT
> If-None-Match: "23910cad47d3d5533316440084960c2a"
> 
< HTTP/1.1 403 Forbidden
< Date: Wed, 15 Jul 2020 19:42:17 GMT
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Server: GitHub.com
< Status: 403 Forbidden
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4995
< X-RateLimit-Reset: 1594845583
< X-OAuth-Scopes: 
< X-Accepted-OAuth-Scopes: repo
< X-OAuth-Client-Id: Iv1.3bfe017ea9365f15
< X-GitHub-Media-Type: github.machine-man-preview; param=diff
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Frame-Options: deny
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Content-Security-Policy: default-src 'none'
< Vary: Accept-Encoding, Accept, X-Requested-With
< Content-Encoding: gzip
< X-GitHub-Request-Id: FE4A:C7C2:15E144E:1BC5988:5F0F5C19
< 
{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://developer.github.com/v3/repos/commits/#compare-two-commits"
}
* Curl_http_done: called premature == 0
* Connection #0 to host api.github.com left intact

@hatboysam I found that request in our logs––thanks again for sharing it with us!

I’m wondering if this particular GitHub App is installed to the hatboysam/diffmachine repository? To check, you can make a request that lists the repositories accessible to the application installation. If it’s not installed, can you try installing that application to the repository and making that request again?

I want to mention that I am doing this request from a web app and therefore I am using a user token which I get from an OAuth flow on my server on behalf of my GitHub app.

Interesting! Could you also check to see if that particular user access token has access to those repositories? We have an endpoint that lists which repositories are accessible to the user access token.

We’re keen to hear how you get on. :+1:

1 Like

Ohhhh man I feel so dumb! I have two GitHub apps for this project: one for dev and one for prod. I never added the dev app to my project.

Once I did that, everything worked. Thank you for your patience!

1 Like