Get installations token

[SimonLab]

A token installation allow the Github App to send API requests to Github being authenticated as the installation. This allow the Github App to have a greater requests rate limit.

For each notifications received by the server via Github webhooks we can build an authenticated request for the installation and use the Github API for example to add the meta table on a new created issue or to get the list of all the issues on a new installation

The general steps are well defined on the Gihtub documentation: https://developer.github.com/apps/building-github-apps/authentication-options-for-github-apps/#authenticating-as-an-installation and some part of dwylbot code will help us on a more specific aspect with Elixir:

• [x] create private key, this is done on the settings of the Github App
• [x] Add the private key in the environment variable, in .env file for developement and on the settings of Heroku for the production. It might not be necessary to add this value on Travis as the tests will use some mocks (however we should see if there is a better way to tests the app and it might be by sending real request to Github)

• [x] Get the access token of a specific installation (generate a jwt from the private key to authenticate the Github app on the request which ask for the installation token). The following funciton has been created on dwylbot: https://github.com/dwyl/dwylbot/blob/91b65bc4c9e57ec935f503fd82e4c39b5cb76252/lib/dwylbot_web/controllers/github_api/http_client.ex#L36-L54

  We can reuse the same logic but it might be worth checking if we can incorporate this function into a plug to automatically get the installation token on each incoming requests. To get a specific installation token we use the id of the installation which is defined on the payload send by the webhooks request: payload["installation"]["id"]. This id is then use on the API: https://api.github.com/installations/:installation_id/access_tokens

@Cleop do these steps make sense or do we need more details or info?

References:

• https://github.com/dwyl/learn-json-web-tokens
• https://developer.github.com/apps/building-github-apps/authentication-options-for-github-apps/
• rate limit for Github Apps: https://developer.github.com/apps/building-github-apps/rate-limits-for-github-apps/
• REST API v3: https://developer.github.com/v3/

[Cleop]

@SimonLab - nice one, I think you've probably got a better feel for this than me due to your dwylbot experience.

The first steps make sense. I can follow the concepts of the final checkbox but I am not 100% sure how to achieve them. I'll take a look at the links etc. you shared.

[Cleop]

https://developer.github.com/apps/building-github-apps/authentication-options-for-github-apps/#authenticating-as-an-installation says:

Installation access tokens are scoped to the repositories an installation can access, have defined permissions set by the GitHub App, and expire after one hour.

@SimonLab - Expiring after 1 hour - does this mean we could only use this token for the initial import of issues and not for continued use for the webhooks?

[SimonLab]

For the webhooks we don't need any authentication or token. The users will have decided to install the Github app then the server will receive the webhooks event on the /event/new endpoint we have defined.

The access token is used to send request to the API. At the moment we will want to receive all the issues of repos, and maybe get more information about specific users (who created an issue for example). We can ask for a new token each time we need to send an API request so I don't think the time limit is an issue.

[Cleop]

@nelsonic - not sure that you can test this one given its technical nature but if happy please close 👍

[Cleop]

Closing as 'Done' in the Projects board.