Bring back username in auth

[guybedford]

We do need to provide the username when setting up auth even with a token.

[tamird]

This description is not sufficient. Specifically, we still want to avoid sending the username on Github API calls (because that requires giving the token special access), but apparently the Git protocol requires a username (and the Git protocol is used in ls-remote).

Another option is to fetch the username on first use by hitting <github api>/user with the token and reading the login property.

[tamird]

Per @guybedford, a third option is to use GitHub's refs API (https://developer.github.com/v3/git/refs/#get-all-references) when authenticated, and ls-remote otherwise.

[adamburgess]

Instead of offering to test the token upon setup, do it anyway to grab /user. if it fails, the token is bad. if it succeeds, store login

[adamburgess]

a third option is to use GitHub's refs API

Pros:

• Around 20% smaller response than the Git protocol when gzipped
• Can be cached to save even more data

Cons:

• Seems to always be slower than ls-remote, and the gap widens for larger repos
  • from my server, 460ms via Git, 594ms via API for https://github.com/jspm/github
  • similarly for a large(ish) repo e.g. https://github.com/Microsoft/typescript: 1106ms via Git, 1700ms via API
• Requires token

IMO speed trumps data usage

[tamird]

FYI, you can also grab just tags or just heads from the refs API:

• https://api.github.com/repos/jspm/github/git/refs/heads
• https://api.github.com/repos/jspm/github/git/refs/tags

How does that speed compare? It definitely omits pull requests.

[adamburgess]

Then for every repo you have to do two requests, but in some cases it does seem to speed things up. API is pretty much identical for jspm/github, but API is faster for Microsoft/typescript

[tamird]

Also recall that two requests is not such a big deal - you can do them in parallel.

[guybedford]

See also the gitter thread - https://gitter.im/jspm/jspm?at=57bf2683757a871757b4b0d0.

[guybedford]

I think we're just going to have to revert this work and go back to how things were, since no one seems interested in fixing the problems here.

[tamird]

I can take fixing these problems - I was under the impression that @adamburgess was doing it.

On Thu, Aug 25, 2016 at 5:09 PM, Guy Bedford notifications@github.com wrote:

I think we're just going to have to revert this work and go back to how things were, since no one seems interested in fixing the problems here.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jspm/github/issues/99#issuecomment-242541369, or mute the thread https://github.com/notifications/unsubscribe-auth/ABdsPCKE-n8eEUdbDtcxZcKrYGiV0gQzks5qjgSegaJpZM4JNimm .

[jakeNiemiec]

https://gitter.im/jspm/jspm?at=57bf2683757a871757b4b0d0

We have a bot that runs jspm install as part of a deploy step.

The bots token does not work with the private git repo however mine (as the creator of the repo) can install it just fine.

Someone recently updated our server distro (to Ubuntu 16.04.1 LTS), only after this did jspm stop working.

If I try to install our private package into a fresh directory(excluding basic setup):

deploy@app:~/tesst$ jspm registry config github
Would you like to set up your GitHub credentials? [Yes]: Yes
     You can generate an access token at https://github.com/settings/tokens.

Enter your GitHub access token: 1234123412341234
Would you like to test these credentials? [Yes]: Yes
ok   GitHub authentication is working successfully.
ok   Registry github configured successfully.
deploy@app:~/tesst$ jspm i github:myOrg/energyCalculator-browser --save-dev

warn The --save-dev install flag in jspm is just --dev.

warn Running jspm globally, it is advisable to locally install jspm via npm install jspm --save-dev.
Username for 'https://github.com': jspmdeploy-bot
Password for 'https://jspmdeploy-bot@github.com':
     Updating registry cache...
     Downloading github:myOrg/energyCalculator@1.1.6

err  Error on download for github:myOrg/energyCalculator-browser
Bad response code 404

warn Installation changes not saved.

The bot has read/write and can clone and modify via ssh just fine. I fully expected my token to stop working, however it still does despite having the same permissions of the bot. Another thing worth noting is there may be an issue with the deploy keys / user id_rsa (does jspm even use this?).

Despite all this, I was able to swap out for npm: without any trouble (token-based). I look forward to being able to pull from our private git repos again; thanks for all your hard work!

[PacciniBruno]

In the meantime, can we lock jspm-github version to 0.14.9 in jspm-cli dependencies ?

We had to resort to a local install of jspm for our project, coupled with an npm shrinkwrap to force a jspm-github@0.14.9 install.

For those interested, a way around is using this trick: https://gist.github.com/ahoward/2885020 and editing your jspm config file manually as such:

{
  "defaultRegistry": "jspm",
  "strictSSL": true,
  "registries": {
    "github": {
      "remote": "https://github.jspm.io",
      "username": "%MY_USER%",
      "password": "%MY_PASSWORD%",
      "maxRepoSize": 0,
      "timeouts": {
        "lookup": 240
      },
...

[tamird]

@jakeNiemiec @PacciniBruno can you guys try to use my fix from #107 or #108?

You'd install it into package.json as "jspm-github": "github:tamird/github#private-auth-0.16" or "jspm-github": "github:tamird/github#private-auth" depending on if you're using jspm 0.16 or 0.17.

[guybedford]

This should be resolved in https://github.com/jspm/github/pull/112 now.

[guybedford]

Released in 0.13.17.