Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

octokit-auth-probot

Package Overview
Dependencies
Maintainers
1
Versions
18
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

octokit-auth-probot

Octokit authentication strategy that supports token, app (JWT), and event-based installation authentication

  • 3.0.2
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
26K
decreased by-2.29%
Maintainers
1
Weekly downloads
 
Created
Source

octokit-auth-probot

Octokit authentication strategy that supports token, app (JWT), and event-based installation authentication

@latest Build Status

octokit-auth-probot combines the authentication strategies:

  1. @octokit/auth-app
  2. @octokit/auth-token
  3. @octokit/auth-unauthenticated

It adds a new authentication type: "event-octokit", which allows to retrieve an Octokit instance which is correctly authenticated based on the Octokit constructors authentication (app or token) as well as the event, which either results in an installation access token authentication or, in case the event implies that the installation's access has been revoked, in an unauthenticated Octokit instance.

octokit-auth-probot is not meant to be used by itself, but in conjuction with @octokit/core or a compatible library.

Usage

Browsers

Load octokit-auth-probot directly from esm.sh

<script type="module">
  import { Octokit } from "https://esm.sh/@octokit/core";
  import { createProbotAuth } from "https://esm.sh/octokit-auth-probot";
</script>
Node

Install with npm install octokit-auth-probot

const { Octokit } = require("@octokit/core");
const { createProbotAuth } = require("octokit-auth-probot");
// or:
// import { Octokit } from "@octokit/core";
// import { createProbotAuth } from "octokit-auth-probot";

⚠️ For usage in browsers: The private keys provided by GitHub are in PKCS#1 format, but the WebCrypto API only supports PKCS#8. You need to convert it first:

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private-key-pkcs8.key

No conversion is needed in Node, both PKCS#1 and PKCS#8 format will work.

const { Octokit } = require("@octokit/core");
const { createProbotAuth } = require("octokit-auth-probot");

const ProbotOctokit = Octokit.defaults({
  authStrategy: createProbotAuth,
});

Token authentication

const octokit = new ProbotOctokit({
  auth: {
    token: "secret 123",
  },
});

Note: when using octokit.auth({ type: "installation", factory }), factory(options) will be called with options.octokit, options.octokitOptions, plus any other properties that have been passed to octokit.auth() besides type and factory. In all other cases, octokit.auth() will resolve with an oauth authentication object, no matter the passed options.

App authentication

const octokit = new ProbotOctokit({
  auth: {
    appId: 123,
    privateKey: `----BEGIN RSA PRIVATE KEY----- ...`,
  },
});

Unauthenticated

const octokit = new ProbotOctokit();

This is useful if you need to send a request without access to authentication. Probot's use case here is Create a GitHub App from a manifest (POST /app-manifests/{code}/conversions), which is used to register a GitHub app and retrieve the credentials in return.

Get authenticated octokit instance based on event

const eventOctokit = await octokit.auth({
  type: "event-octokit",
  event: { name: "push", payload: { installation: { id: 123 } } }, // event payload
});

eventOctokit is now authenticated in one of three ways:

  1. If octokit was authenticated using a token, eventOctokit is authenticated with the same token. In fact, eventOctokit is octokit
  2. If event name is installation and payload.action is either suspend or deleted, then eventOctokit is unauthenticated using @octokit/auth-unauthenticated
  3. Otherwise eventOctokit is authenticated as installation based on payload.installation.id

LICENSE

ISC

Keywords

FAQs

Package last updated on 16 Nov 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc