Closed chmelev closed 3 months ago
Initial look into this, I am thinking that the access token used, does not have access to ${apiHost}/stores/${storeHash}/v3/channels
endpoint.
Looking into docs to see what permissions are required...
Ok looks highly likely this is permissions of the access token. Steps to recreate:
Goto: BCAdmin > Settings > Store-level API account > Create API Account Generate Token type = Stencil CLI token
The token generated does not have access to /v3/channels
. Which is now used within stencil cli here.
{
"status": 403,
"title": "You don't have a required scope to access the endpoint",
"type": "https://developer.bigcommerce.com/api-docs/getting-started/api-status-codes",
"errors": {}
}
How am I supposed to get the Stencil CLI token with /v3/channels
access? Is that an undocumented feature?
I'd expect that BC will need to fix this functionality when the token is generated from BC Admin.
Two options to unblock you immediately would be:
Following
Hi @chmelev,
Thank you for reporting this issue and sorry about the problem. I didn't recognize when adding this new "channels" request that the standard Stencil CLI token was missing the needed "read-only channel settings" scope. That became required with this change: https://github.com/bigcommerce/stencil-cli/pull/1180
We have released a new update, version 7.5.1, that will address this issue for people running into the scope error. Please go ahead and update to the latest version of stencil-cli
for a quick fix. Our change will simply bypass the scope error and make things act as they did before the update that introduced this new scope requirement (version 7.4.2).
Downgrading to version 7.4.1 or below is another way to resolve this issue quickly.
This new "channels" scope is here to stay though so to accommodate that going forward, you will need to generate a new stencil cli auth token that includes the "read-only channel settings" permission (as suggested by @AndrewBarber).
That can be done within the control panel under Settings
-> Api
-> Store-level Api Accounts
but you do need store owner level access to the store to do this. Right now when creating the new token you must manually add this new scope:
We are also in the process of updating the standard "Stencil CLI token" to include the "read-only channel settings" scope. Before long simply regenerating that specific token will correct this issue as well:
Feel free to let me know if you have questions about this. Sorry again about this oversight.
Hi @bc-jz,
Just to be clear - while the Stencil CLI Token generation is being fixed, you're suggesting using the V2/V3 API Token instead, right?
Hi @bc-jz,
Just to be clear - while the Stencil CLI Token generation is being fixed, you're suggesting using the V2/V3 API Token instead, right?
I am suggesting it as a possible replacement but if you don't want to bother with choosing the correct scopes then you can just wait for the stencil cli token update. That should be available in the next day and once you are on version 7.5.1+ of stencil-cli
, there is no longer a blocking failure if your auth token is missing the "store channel settings read only" scope.
The "stencil CLI token" is simply a v2/v3 api token where we predefine the scopes it should have available based on the actions taken when utilizing stencli-cli
. The necessary scopes you would apply to match what we will have on the stencil cli token are:
There is one more scope that changes depending on if you are only doing local development or needing to publish changes. If you need to publish changes then you need the store_themes_manage
scope. That can be more conservatively set to store_themes_read_only
if you are only doing local development.
The danger with generating a v2/v3 api token to replace the stencil cli token is simply that you apply too many or too few scopes. Too few can result in errors like we have seen with this missing Channels scope. Too many would grant whomever is using this token greater access to your store's api than what is necessary to do theme development.
To close the loop on this I confirmed that the Stencil CLI token generated in the Control Panel now has all needed scopes to work properly with the newest versions of stencil-cli
. As a summary for anyone seeing 403 errors when using version 7.4.2 or 7.5.0 of stencil-cli
:
1) You should regenerate your "Stencil CLI" token to get the scopes needed to avoid the error. 2) If you can't get a new token soon you can downgrade to 7.4.1 or update to 7.5.1+ to also get around the error.
Expected behavior
Theme gets applied without errors when doing the stencil push
Actual behavior
Theme application step (after the "Would you like to apply your theme to your store?" question) fails with the following error:
not ok -- Error: Could not fetch a list of the store channels: Request failed with status code 403
Steps to reproduce behavior
Get the latest (4/8/2024) stencil-cli, do the stencil init, and then stencil push. NOTE - the pre-4/8/2024 version works fine
Environment
Stencil-cli version
stencil --version
: 7.4.2Node version
node -v
: 18.19.0NPM version
npm -v
: 10.2.3OS: fails on Windows and Linux