docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

GraphQL rate limits documentation mentions an unavailable authentication method

Open Fs00 opened this issue 1 year ago • 7 comments

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/graphql/overview/rate-limits-and-node-limits-for-the-graphql-api

What part(s) of the article would you like to see updated?

The article includes the following sentence when detailing primary rate limits for each authentication method:

For OAuth apps: 5,000 points per hour, or 10,000 points per hour if the app is owned by a GitHub Enterprise Cloud organization. This only applies when the app uses their client ID and client secret to request public data.

However, authentication via client ID + client secret for OAuth apps appears not to be available for the GraphQL API, as a user pointed out in octokit/auth-oauth-app.js#46. I also got the same result when trying via curl.

If the quoted sentence refers to the aforementioned client ID + client secret basic authentication mechanism (which, to my knowledge, is only available for the REST API), it probably shouldn't be there. If that's not the case, it's unclear which authentication method it refers to.

Fs00 avatar Jul 27 '24 14:07 Fs00

@Fs00 Thank you for opening an issue! I'll get this triaged for review ✨

nguyenalex836 avatar Jul 29 '24 17:07 nguyenalex836

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

github-actions[bot] avatar Aug 22 '24 16:08 github-actions[bot]

@Fs00 Thank you for your patience while our team reviewed! ✨ After reviewing your issue, our engineering team provided the following response -

I took a look at our documentation and I don’t see any exclusions for OAuth for GraphQL: https://thehub.github.com/epd/engineering/dev-practicals/secure-coding/secure-coding-general/auth-on-api/#enforcing-oauth-tok[…]s-on-the-graphql-api which means it should work for both REST API and GraphQL. However, organization needs to approve each OAuth app https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions#about-oau[…]strictions unless those restrictions were disabled manually: When you create a new organization, OAuth app access restrictions are enabled by default. Organization owners can disable OAuth app access restrictions at any time. Could this be the case for customers mentioned that they cannot authorize their apps?

Please let us know if you have any thoughts regarding our engineering team's response, especially regarding the statement "When you create a new organization, OAuth app access restrictions are enabled by default." Thank you! 💛

nguyenalex836 avatar Aug 27 '24 16:08 nguyenalex836

Hello @nguyenalex836. I appreciate your efforts, however I don't think that the above response answers my question. I'm aware of the existence of OAuth app restrictions for organizations, but they don't seem to be at play here: the query in the Octokit issue I mentioned earlier does not fetch any organization data, it just tries to access a public user profile's data.

My question is all about the (in-)ability to authenticate to the GraphQL API via OAuth client ID + client secret without any sort of token or user authentication, as it can be done with the REST API. As far as I know, GH docs don't clearly state if this is possible or not and the only "official" piece of information we have (the paragraph I quoted in the issue) appears to conflict with what can be experienced by users.

Fs00 avatar Aug 29 '24 09:08 Fs00

Hi @Fs00, thank you for your report! I took a look on behalf of engineering team, and yes, you pointed it out correctly, for GraphQL requests basic auth with OAuth client ID and client secret only is not enough. I apologize for the initial confusion, we will work on adjusting docs to make it clear.

AlenaSviridenko avatar Sep 03 '24 08:09 AlenaSviridenko

Thank you for the clarification @AlenaSviridenko!

Fs00 avatar Sep 03 '24 09:09 Fs00

@AlenaSviridenko Thank you for providing that clarification! 💛 @Fs00 Thank you as well for continuing to advocate for fixing the doc's discrepancy! ✨

I took a look on behalf of engineering team, and yes, you pointed it out correctly, for GraphQL requests basic auth with OAuth client ID and client secret only is not enough.

I've added the help wanted label to this issue so that anyone in the community may open a PR to update this doc

nguyenalex836 avatar Sep 03 '24 14:09 nguyenalex836

I can see that the issue is with the syntax of the authentication method in the GraphQL rate limits documentation. Specifically, the documentation mentions an authentication method with the following syntax:

Authorization: Bearer

or

Authorization: token

However, it seems that the correct syntax for authentication is:

Authorization: Bearer YOUR_GITHUB_PERSONAL_ACCESS_TOKEN

or

Authorization: token ghp_YOUR_GITHUB_PERSONAL_ACCESS_TOKEN

The issue is that the documentation uses the syntax which is not a valid placeholder for the actual token value. Instead, it should use a placeholder that indicates the user should replace it with their actual GitHub Personal Access Token.

ghost avatar Nov 09 '24 20:11 ghost

Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue.

docs-bot avatar Feb 26 '25 12:02 docs-bot

As this relates to GraphQL, I'm going to transfer this to an internal issue to make sure it's tracked more effectively. Thank you again for raising this and identifying a needed fix!

subatoi avatar Feb 26 '25 12:02 subatoi

Dňa ut 27. 8. 2024, 6:55 PM Alex Nguyen @.***> napísal(a):

@Fs00 https://github.com/Fs00 Thank you for your patience while our team reviewed! ✨ After reviewing your issue, our engineering team provided the following response -

I took a look at our documentation and I don’t see any exclusions for OAuth for GraphQL: https://thehub.github.com/epd/engineering/dev-practicals/secure-coding/secure-coding-general/auth-on-api/#enforcing-oauth-tok[…]s-on-the-graphql-api https://thehub.github.com/epd/engineering/dev-practicals/secure-coding/secure-coding-general/auth-on-api/#enforcing-oauth-token-scopes-on-the-graphql-api which means it should work for both REST API and GraphQL. However, organization needs to approve each OAuth app https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions#about-oau[…]strictions https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions#about-oauth-app-access-restrictions unless those restrictions were disabled manually: When you create a new organization, OAuth app access restrictions are enabled by default. Organization owners can disable OAuth app access restrictions https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization at any time. Could this be the case for customers mentioned that they cannot authorize their apps?

Please let us know if you have any thoughts regarding our engineering team's response, especially regarding the statement "When you create a new organization, OAuth app access restrictions are enabled by default." Thank you! 💛

— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/34114#issuecomment-2313063805, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3LL32HEQAWH5AMZCYE7TK3ZTSVR3AVCNFSM6AAAAABLR5RK3OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJTGA3DGOBQGU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Zakuku avatar Oct 20 '25 18:10 Zakuku