Github App Installations

[saddam-azad]

Describe the bug

We are using a Github App (as opposed to Github OAuth App) as the Client ID in Supabase Auth. Supabase handles normal user authentication as expected: The App is installed on the User account successfully.

However, if we attempt to add new installations of the App on more User/Org accounts, Supabase is unable to handle App installations.

To Reproduce

1. Create a Github App and a Supabase project
2. Use Github as provider for Supabase Auth; Use Github App Client ID
3. Attempt to create new app installation

Here is the workflow:

1. The user clicks on a button that should take them to the following URL:
   https://github.com/apps/<APP>/installations/new

2. The user selects an account or organization and proceeds to install the GitHub App.

3. After the installation is completed, GitHub redirects the user to the Redirect URL:
   https://<PROJECT>.supabase.co/auth/v1/callback?code=<CODE>&installation_id=<ID>&setup_action=install

4. Error: 400 "OAuth state parameter missing"

Expected behavior

Supabase should redirect the user back to the app with a refreshed token.

System information

• OS: Windows 11
• Version of supabase-js: 2.24.0
• Version of Node.js: v18.13.0

[saddam-azad]

Take 2

1. Generated nanoid and sent ?state parameter with initial query
   https://github.com/apps/<APP>/installations/new?state=<NANOID>

2. On success, Github sends browser to:
   https://<PROJECT>.supabase.co/auth/v1/callback?code=<CODE>&installation_id=<ID>&setup_action=install&state=<NANOID>

3. This is what happens on Supabase end:
   { "code":400, "msg":"OAuth state is invalid: token contains an invalid number of segments" }

What is the expected format of the state?

[silentworks]

I've just been able to test this now and I'm not getting any of the errors you are getting. Do note you need to enable the email addresses permission when setting this up. I've attached a video showing this working with my application.

Kapture.2023-09-04.at.13.44.53.mp4

[yojindo]

I'm having the same exact issue as well, but despite turning on the email address access, I'm still receiving the same issue.

[gabriel-pineda]

I am also getting the same issue.
@silentworks perhaps this can be reopened.

Your video showed the flow where users login through the app.
The issue/error above happens when the user installs the app from Github itself.

[silentworks]

@gabriel-pineda You will need to provide me with steps for that please and it would be good to provide an app that works with the flow you are mentioning so I can understand it better.

[gabriel-pineda]

@saddam-azad outlined it perfectly above, but i can supply you with a video:

supabase-auth-bug.mov

this flow started from clicking on "Install App" from the Github App page.

whereas in your video, you installed the App on your website. Installing the app via the website works fine, the problem lies on installing the app from Github App page (and possibly even in github app marketplace)

Edit: might also be related to this:https://github.com/orgs/supabase/discussions/397#discussioncomment-396221

[silentworks]

@gabriel-pineda I was asking for an app that actually works with this flow, not one that doesn't work (in the case of your supabase app). I need to see the flow working to understand better what is supposed to happen, so please link to any other GitHub App that you know of that works as expected.

[saddam-azad]

@silentworks, appears there is some confusion regarding what is happening. Allow me to break this down:

1. Supabase Github OAuth Flow:

- Uses Github OAuth App
- Installs the OAuth App on the User's Account

i.e. User clicks on Login (using Supabase client-side handler)
The User is taken to https://github.com/login/oauth/authorize?client_id=<APP_ID>,
User installs the app,
User is redirected to Supabase Redirect URL (auth/v1/callback)
which then redirects User back to the Client with token.

Supabase works as expected.

Edit: The OAuth Flow works seamlessly with a Github App too, as you have shown in your video.

2. Github App Installation Flow:

- Uses Github App (which is distinct from Github OAuth App)
- Not installed on a User Account - instead it manages `installations` on multiple Accounts
- Each installation has a unique ID.

i.e. User goes to https://github.com/apps/<APP_ID>/installations/new,

This flow only takes place when a) You try to install a Github App from Marketplace, or b) The Client sends User to this URL on purpose.

User creates a new installation on one of their accounts (Personal or Org)

Github redirects the User to Supabase Redirect URL such as:
/auth/v1/callback?code=<CODE>&installation_id=<ID>&setup_action=install&state=<STATE>

The installation flow sends installation_id and setup_action=install as unique query parameters along with state. Supabase is unable to handle this request because this was never considered a use-case.

As you can see, the Github App Installation Flow is different from Github OAuth Flow. I hope this clarifies the issue. This thread can be tagged as a Feature Request, not a bug.

[silentworks]

@saddam-azad I don't think you read my message correctly. What I am asking for is an example app (not Supabase app) that has this flow working so I can see what is expected to happen. Describing to me what's happening without me being able to test it makes it kinda hard for me to work out what's causing the issue as this might be more of a GoTrue issue than the auth-helpers itself.

[saddam-azad]

@silentworks Try out nuxt.studio. Create an account and import a project from Github. There is a working Github App Installation Flow.

[silentworks]

Thanks for the link @saddam-azad, I'm going to re-open this issue until I test nuxt.studio and see how the flow work to further finding a fix for the issue.

[rafaelmotta]

@saddam-azad have you figured out this? I'm also facing the same problem

[horlah]

I found the fix, uncheck the "Request user authorization (OAuth) during installation" checkbox below the "Callback URL" input and add the callback URL for your Github App installation redirect to the "Setup URL (optional)" input field in the "Post installation" section.

So you don't have your Github App redirecting to Supabase Auth callback