[github-oauth-ui] Error: Failed requesting GitHub access token: fetch failed

[zsq1234]

Bug Report

Versions

	Version
Verdaccio	verdaccio:5.26.3
This plugin	[email protected]
Node	v18.17.0

Environment

	Name	Version
Package manager	helm
Browser	firefox, chrome
Operating system	Linux

Observed behavior

docker file:

FROM verdaccio/verdaccio:5.26

ADD docker.yaml /verdaccio/conf/config.yaml  

USER root

RUN apk add -f curl

RUN npm install --global verdaccio-github-oauth-ui@6

USER $VERDACCIO_USER_UID

helm values.yaml:

extraEnvVars:
  - name: VERDACCIO_PORT
    value: "4873"
  - name: GLOBAL_AGENT_HTTP_PROXY
    value: http://192.168.50.254:6152
  - name: GLOBAL_AGENT_HTTPS_PROXY
    value: http://192.168.50.254:6152
  - name: GLOBAL_AGENT_NO_PROXY
    value: localhost,127.0.0.1
  - name: HTTP_PROXY
    value: http://192.168.50.254:6152
  - name: HTTPS_PROXY
    value: http://192.168.50.254:6152
  - name: NO_PROXY
    value: localhost,127.0.0.1
  - name: http_proxy
    value: http://192.168.50.254:6152
  - name: https_proxy
    value: http://192.168.50.254:6152
  - name: no_proxy
    value: localhost,127.0.0.1
  - name: GLOBAL_AGENT_ENVIRONMENT_VARIABLE_NAMESPACE
    value: ""

configMap: |
  # path to a directory with all packages
  storage: /verdaccio/storage/data

  web:
    # WebUI is enabled as default, if you want disable it, just uncomment this line
    #enable: false
    title: Verdaccio

  auth:
    github-oauth-ui:
      client-id: "Iv1.xxxx"
      client-secret: "87d57xxxxx"
      token: "ghp_xxxx"

  # a list of other known repositories we can talk to
  uplinks:
    npmjs:
      url: https://registry.npmjs.org/
      agent_options:
        keepAlive: true
        maxSockets: 40
        maxFreeSockets: 10

  packages:
    '@*/*':
      # scoped packages
      access: $all
      publish: $authenticated
      proxy: npmjs

    '**':
      # allow all users (including non-authenticated users) to read and
      # publish all packages
      #
      # you can specify usernames/groupnames (depending on your auth plugin)
      # and three keywords: "$all", "$anonymous", "$authenticated"
      access: $all

      # allow all known users to publish packages
      # (anyone can register by default, remember?)
      publish: $authenticated

      # if package is not available locally, proxy requests to 'npmjs' registry
      proxy: npmjs

  # To use `npm audit` uncomment the following section
  middlewares:
    github-oauth-ui:
      enabled: true

  # log settings
  log: { type: file, path: /tmp/verdaccio.log, level: debug }

login button can open the github oauth page, but redirect to /-/oauth/callback url will 500.

the log is:

Expected behavior

expect to 200, like run by curl in the same pod:

~ $ curl -v -X POST "https://github.com/login/oauth/access_token?client_id=Iv1.xxxx&client_secret=87d57xxx&code=e909c0ea8fcc9495b997"
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1'
* Uses proxy env variable https_proxy == 'http://192.168.50.254:6152'
*   Trying 192.168.50.254:6152...
* Connected to 192.168.50.254 (192.168.50.254) port 6152
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to github.com:443
> CONNECT github.com:443 HTTP/1.1
> Host: github.com:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection established
< 
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: Feb 14 00:00:00 2023 GMT
*  expire date: Mar 14 23:59:59 2024 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha1WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://github.com/login/oauth/access_token?client_id=Iv1.xxxx&client_secret=87d571b093xxxx&code=e909c0ea8fcc9495b997
* [HTTP/2] [1] [:method: POST]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: github.com]
* [HTTP/2] [1] [:path: /login/oauth/access_token?client_id=Iv1.xxxx&client_secret=87d571b0xxxx&code=e909c0ea8fcc9495b997]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> POST /login/oauth/access_token?client_id=Iv1.xxxx&client_secret=87d57xxxxxx&code=e909c0ea8fcc9495b997 HTTP/2
> Host: github.com
> User-Agent: curl/8.5.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< server: GitHub.com
< date: Tue, 16 Jan 2024 12:35:12 GMT
< content-type: application/x-www-form-urlencoded; charset=utf-8
< vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame
< etag: W/"f6ae999f9d860bf0d7a02555e2c84bd5"
< cache-control: max-age=0, private, must-revalidate
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
< vary: Accept-Encoding, Accept, X-Requested-With
< x-github-request-id: D62A:7C4E:3CE4C3:3F3AA4:65A67800
< 
* Connection #0 to host 192.168.50.254 left intact
access_token=ghu_xxxx&expires_in=28800&refresh_token=ghr_xxxx&refresh_token_expires_in=15724800&scope=&token_type=bearer~ 

[n4bb12]

Thanks the report.

The problem likely has to do with the use of a proxy server.

I believe, proxy support might have broken when switching from manual HTTP requests to using Octokit since Octokit uses fetch which does not respect HTTP_PROXY.