search

atom / atom.io

🌐 A place for feedback on the atom.io website and package API
158 stars 98 forks source link

apm publish gives Application Error #181

Closed ioquatix closed 5 years ago

ioquatix commented 5 years ago

@rsese as requested, from https://github.com/atom/atom.io/issues/7

% apm login
Welcome to Atom!

Before you can publish packages, you'll need an API token.

Visit your account page on Atom.io https://atom.io/account,
copy the token and paste it below when prompted.

Press [Enter] to open your account page on Atom.io. 
Token> ***TOKEN***
Saving token to Keychain ✓
koyoko% apm publish -t v2.4.0 
Publishing script-runner@v2.4.0 ✗
Creating new version failed: Application error

% cat package.json 
{
  "name": "script-runner",
  "main": "./lib/script-runner",
  "version": "2.4.0",
  "description": "Run scripts and shells within a proper terminal.",
  "license": "MIT",
  "repository": {
    "type": "git",
    "url": "https://github.com/ioquatix/script-runner"
  },
  "bugs": {
    "url": "https://github.com/ioquatix/script-runner/issues"
  },
  "homepage": "https://github.com/ioquatix/script-runner",
  "dependencies": {
    "shellwords": "^0.1.0",
    "etch": "^0.12.0",
    "shell-environment": "^0.3.0",
    "xterm": "^3.3",
    "node-pty-prebuilt": "^0.7.0",
    "temp-write": "^3.4",
    "resize-observer-polyfill": "^1.4"
  }
}

Here is a manual request:

% curl -v --http1.1 -X POST -H 'Content-Type: application/json' -d '{ "tag": "v2.4.0" }' -H 'Authorization: ***TOKEN***' "https://atom.io/api/packages/script-runner/versions"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 52.200.123.104...
* TCP_NODELAY set
* Connected to atom.io (52.200.123.104) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.atom.io
*  start date: Mar 30 00:00:00 2017 GMT
*  expire date: Apr 29 12:00:00 2020 GMT
*  subjectAltName: host "atom.io" matched cert's "atom.io"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
> POST /api/packages/script-runner/versions HTTP/1.1
> Host: atom.io
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Type: application/json
> Authorization: ***TOKEN***
> Content-Length: 19
> 
* upload completely sent off: 19 out of 19 bytes
< HTTP/1.1 500 Internal Server Error
< Server: Cowboy
< Connection: close
< Date: Sat, 25 May 2019 00:45:02 GMT
< Status: 500 Internal Server Error
< Referrer-Policy: strict-origin-when-cross-origin
< Strict-Transport-Security: max-age=631139040
< X-Frame-Options: DENY
< Content-Security-Policy: default-src 'self'; font-src https://github-atom-io-herokuapp-com.freetls.fastly.net https://github-atom-io-herokuapp-com.global.ssl.fastly.net; frame-src 'self' https://www.youtube.com; img-src https: 'self' https://github-atom-io-herokuapp-com.freetls.fastly.net data:; media-src 'self'; object-src 'self' https://github-atom-io-herokuapp-com.freetls.fastly.net; script-src 'self' 'unsafe-inline' https://ssl.google-analytics.com https://www.google-analytics.com https://platform.twitter.com https://github-atom-io-herokuapp-com.freetls.fastly.net; style-src 'self' 'unsafe-inline' https://github-atom-io-herokuapp-com.freetls.fastly.net;
< X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Content-Type: application/json; charset=utf-8
< Cache-Control: no-cache
< X-Request-Id: 8793e626-d26f-47b3-b19e-a231c240ccc5
< X-Runtime: 0.944583
< X-Rack-Cache: invalidate, pass
< Vary: Accept-Encoding, Origin
< Via: 1.1 vegur
< 
* TLSv1.2 (IN), TLS alert, close notify (256):
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
{"message":"Application error"}
rsese commented 5 years ago

Thanks for opening a new issue for this @ioquatix :+1: As I mentioned in #7, we can't promise a specific timeframe for when someone can take a look, but I'll share this with the maintainers for you.

ioquatix commented 5 years ago

@rsese it's too bad you don't make this code open source so I can make a PR :)

jasonrudolph commented 5 years ago

:wave: Hi @ioquatix: Thanks for sharing the detailed output in https://github.com/atom/atom.io/issues/181#issue-448394602. That's a big help! :bow:

I think we've tracked down the root cause of the issue. It looks like script-runner 2.4.0 was previously published on 2018-07-29, and it appears that it was unpublished just a few minutes after being published. atom.io requires each version to have a unique version number, so when it sees an attempt to publish 2.4.0 again, atom.io prevents publication. (Admittedly, apm and atom.io should provide a much more helpful error message in this situation.)

I recommend bumping the version on script-runner (for example: you could bump it to 2.4.1 or 2.5.0) and then publishing that new version. I think that should get things back on track, but if you run into any issues, please let us know. :bow:

ioquatix commented 5 years ago

The first time it was published it showed an error message but I don’t recall what it was. I’ll try again but I am worried it will generate another partial record. If it was already published why doesn’t it say that version on the package page?

jasonrudolph commented 5 years ago

If it was already published why doesn’t it say that version on the package page?

atom.io doesn't show 2.4.0 on the package page because 2.4.0 was unpublished.

When you attempt to publish the package, atom.io should ideally provide a much more helpful error message than "Application error". 😭 Preferably, atom.io should inform you that 2.4.0 was previously published and then unpublished, and that you need to publish a new version with a unique version number.

I hope this helps.

ioquatix commented 5 years ago

Okay that makes sense. But I recall when I published it the first time it broke. If it happens again I’ll capture a full transcript.

ioquatix commented 5 years ago

Okay I will try to release 2.4.1 now...

ioquatix commented 5 years ago

First I did this:

> apm login
Welcome to Atom!

Before you can publish packages, you'll need an API token.

Visit your account page on Atom.io https://atom.io/account,
copy the token and paste it below when prompted.

Press [Enter] to open your account page on Atom.io. 
Token> *********************************
Saving token to Keychain ✓
ioquatix commented 5 years ago

Okay, so it asked me to log in:

> apm publish patch      
Preparing and tagging a new version ✓
Pushing v2.4.2 tag Username for 'https://github.com': ^C

But that's not possible because I have 2FA. It needs to use SSH to push the tag.

I don't know why it's trying to use HTTP, because clearly my remote is set up to use ssh:

> git remote -v
origin  git@github.com:ioquatix/script-runner.git (fetch)
origin  git@github.com:ioquatix/script-runner.git (push)
ioquatix commented 5 years ago

I rolled back the failed release:

git reset --hard 4520e8817743dc54bbfbb217ac98adf14f89158d
ioquatix commented 5 years ago

Those tags never existed on the remote system because it was never pushed:

^_^ > git push origin :v2.4.1                                  
error: unable to delete 'v2.4.1': remote ref does not exist
error: failed to push some refs to 'git@github.com:ioquatix/script-runner.git'
x_x > git push origin :v2.4.2
error: unable to delete 'v2.4.2': remote ref does not exist
error: failed to push some refs to 'git@github.com:ioquatix/script-runner.git'
ioquatix commented 5 years ago

I wonder if it's trying to use the repository URL to push the package:

package.json:

  "repository": {
    "type": "git",
    "url": "https://github.com/ioquatix/script-runner"
  },
ioquatix commented 5 years ago

Okay, I thought maybe I can manually push the tag, then publish it:

^_^ > git reset --hard 3d1f46dfbda14dd144f60ddc0907dd7fded2a8f9
HEAD is now at 3d1f46d Prepare 2.4.1 release
^_^ > git tag v2.4.1
^_^ > git push --tags
Enumerating objects: 12, done.
Counting objects: 100% (12/12), done.
Delta compression using up to 8 threads
Compressing objects: 100% (8/8), done.
Writing objects: 100% (8/8), 920 bytes | 920.00 KiB/s, done.
Total 8 (delta 4), reused 0 (delta 0)
remote: Resolving deltas: 100% (4/4), completed with 2 local objects.
To github.com:ioquatix/script-runner.git
 * [new tag]         v2.4.1 -> v2.4.1
x_x > apm publish --tag v2.4.1
Publishing script-runner@v2.4.1 ✓

That seemed to work.

Thinking back, I'm pretty sure when I tried to publish v2.4.0 it bombed out in the same way above with failed git credentials (https login) - I might have even tried to give it my details, but it would surely fail. I don't know how I could have ever unpublished v2.4.0 if it was never published in the first place, but if you say that's how it is then that must be the case. If I did manage to publish it, I think that would have been what I wanted at the time, so I don't know why I'd unpublished it. Something must have failed and I thought - it didn't get published, I can no longer publish it, let's try unpublishing it to see if that clears up the issue. For example, I'm certain I'd check the package page, and see it still listing v2.3 release. Then I don't know if unpublish v2.4.0 is a no-op or not. Either my recollection of events is wrong, or something else odd happened.

That being said:

Let me know if I can help with anything else.

jasonrudolph commented 5 years ago

That seemed to work.

Thanks for letting us know! I'm glad that you were able to get the new version published. 😅

That being said:

  • apm publish could use some work to ensure that it pushes tags using git correctly.
  • The error message could be better.

I agree. 👍

50Wliu commented 5 years ago

I might have even tried to give it my details, but it would surely fail.

FYI, you can still login when you have 2FA enabled by providing a personal access token in the password field.

ioquatix commented 5 years ago

Next time I make a release, I will try the 2FA and report back if it works or not.