miszoPandy
commented
2 days ago happy to propose the fix once approved.
Open miszoPandy opened 2 days ago
miszoPandy
commented
2 days ago happy to propose the fix once approved.
Describe the bug
Requests to resolve approvers don't work because the WebApi is reused and the PersonalAccessTokenHandler rejects cross domain calls.
Categorization
We get 401 for the identities endpoint of azure devops. the same token works via postman and also is able to create pr-s via this task.
Repository URL: e.g. https://dev.azure.com/tingle/dependabot/_git/repro-684
To Reproduce Steps to reproduce the behavior:
dependabot.yamlconfiguration.Expected behavior A clear and concise description of what you expected to happen. The personal access token should work against both the identities and the organization API
Logs and screenshots If applicable, include relevant logs or screenshots to help explain your problem. See extension troubleshooting for more on how to collect additional diagnostic logs.
Extension (please complete the following information):
Server (please complete the following information):
Additional context Add any other context about the problem here.
The problem problem probably originates from here
https://github.com/microsoft/typed-rest-client/blob/master/lib/handlers/personalaccesstoken.ts#L19
The origin is never specified so it becomes the host of the first request. Then because this task reuses the webapi client the origin will not match the host and the boolean for allowCrossOriginRequests is also false since it's an optional value and never specified by the task. This means the auth header never gets added to the request when calling the identities endpoint here
https://github.com/tinglesoftware/dependabot-azure-devops/blob/a0d7902dd3e970c4668751d56eaa20af2e1e49d0/extension/tasks/dependabotV2/utils/azure-devops/AzureDevOpsWebApiClient.ts#L57
Possible fix: Create two webapi clients, one for each host or allow crossdomain calls by enabling it when calling the authtokenhandler.