hub complains "Unauthorized (HTTP 401)" and "Bad credentials"

[gparker42]

hub 2.2.2 on OS X complains "Unauthorized (HTTP 401)" and "Bad credentials" when I try to check out a pull request.

I have not used hub before. My credentials work in curl and on the web site. I have nothing in any OS X keychain matching "github". My usual github access uses an SSH key and no 2FA.

% hub --version
git version 2.6.3 (Apple Git-62)
hub version 2.2.2

% ls ~/.config/hub
ls: /Volumes/precious/gparker/.config/hub: No such file or directory

[note git is not an alias, so the following is real git and not hub]

% git clone [email protected]:/apple/swift.git
Cloning into 'swift'...
remote: Counting objects: 318893, done.
remote: Compressing objects: 100% (123/123), done.
remote: Total 318893 (delta 42), reused 1 (delta 1), pack-reused 318768
Receiving objects: 100% (318893/318893), 66.27 MiB | 4.56 MiB/s, done.
Resolving deltas: 100% (261489/261489), done.
Checking connectivity... done.
Checking out files: 100% (9920/9920), done.

% cd swift

% env HUB_VERBOSE=1 hub checkout http://github.com/apple/swift/pull/862
github.com username: gparker42
github.com password for gparker42 (never stored): 
> GET https://api.github.com/repos/apple/swift/pulls/862
> Authorization: token 
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
Error getting pull request: Unauthorized (HTTP 401)
Bad credentials

[note that I don't have anything in ~/.config/hub after this sequence]

% curl -u gparker42 https://api.github.com/repos/apple/swift/pulls/862
Enter host password for user 'gparker42':
{
  "url": "https://api.github.com/repos/apple/swift/pulls/862",
  "id": 54923914,
  "html_url": "https://github.com/apple/swift/pull/862",
  […]

[mislav]

Are you sure you haven't removed anything from the below output:

% env HUB_VERBOSE=1 hub checkout http://github.com/apple/swift/pull/862
github.com username: gparker42
github.com password for gparker42 (never stored): 
> GET https://api.github.com/repos/apple/swift/pulls/862
> Authorization: token 
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}

It seems incomplete. Like it didn't try to obtain an OAuth token at all.

Do you still have this issue?

[gparker42]

Still reproduces with hub-2.2.2. I haven't tried building hub from source.

The output shown above is exactly what I see, except for some colorization of the verbose output.

[mislav]

Thanks for updating. This is really weird. According to your HTTP log, it never even tries to exchange your username/password for OAuth token. I've never seen this behavior before. Which version of OS X are you on?

[gparker42]

This is OS X 10.11.4 beta (build 15E27e). I might have a 10.11.2 or 10.11.3 machine to try.

[kakra]

I'm seeing the same problem, using Gentoo Linux. "hub create" simply shows 401:

kakra@jupiter ~/src/php-graveyard [git:master] $ HUB_VERBOSE=1 hub create
$ git config alias.create
$ git rev-parse -q --git-dir
> GET https://api.github.com/repos/kakra/php-graveyard
> Authorization: token [REDACTED]
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
> POST https://api.github.com/user/repos
> Authorization: token [REDACTED]
{"owner":{},"name":"php-graveyard","private":false,"pushed_at":"0001-01-01T00:00:00Z","created_at":"0001-01-01T00:00:00Z","updated_at":"0001-01-01T00:00:00Z","permissions":{"Admin":false,"Push":false,"Pull":false}}

< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
Error creating repository: Unauthorized (HTTP 401)
Bad credentials

[kakra]

Nevermind: After removing $HOME/.config/hub it works. It asked my user/pass and stored a new token. I expected it to be found in $HOME/.gitconfig because there I removed it the first time.

[gparker42]

With hub-2.2.3 on OS X 10.11.3 (15D21) it now sometimes works and sometimes fails when there is no ~/.config/hub file.

Success and failure output below. I manually redacted anything that looked like it might be sensitive, in addition to the output's own redactions. Note that the "successful" output also starts with a bunch of failed requests.

curl still works every time. hub-2.2.2 still fails every time. hub-2.2.2 works after hub-2.2.3 successfully creates a ~/.config/hub file.

Success:

% env HUB_VERBOSE=1 hub checkout http://github.com/apple/swift/pull/862
$ git config alias.checkout
$ git config hub.host
github.com username: gparker42
github.com password for gparker42 (never stored): 
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected]","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 2","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 3","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 4","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 5","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 6","note_url":"http://hub.github.com/"}

< HTTP 201
< Location: https://api.github.com/authorizations/28401207
{"id":28401207,"url":"https://api.github.com/authorizations/28401207","app":{"name":"hub for [email protected] 6","url":"http://hub.github.com/","client_id":"00000000000000000000"},"token":"[REDACTED]","hashed_token":"[REDACTED]","token_last_eight":"[REDACTED]","note":"hub for [email protected] 6","note_url":"http://hub.github.com/","created_at":"2016-02-22T15:18:42Z","updated_at":"2016-02-22T15:18:42Z","scopes":["repo"],"fingerprint":null}
> GET https://api.github.com/user
> Authorization: token [REDACTED]
< HTTP 200
{"login":"gparker42", [...]}
> GET https://api.github.com/repos/apple/swift/pulls/862
> Authorization: token [REDACTED]
< HTTP 200
{"url":"https://api.github.com/repos/apple/swift/pulls/862", [...]}
[...]

Failure:

% env HUB_VERBOSE=1 hub checkout http://github.com/apple/swift/pull/862
$ git config alias.checkout
$ git config hub.host
github.com username: gparker42
github.com password for gparker42 (never stored): 
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected]","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 2","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 3","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 4","note_url":"http://hub.github.com/"}

< HTTP 422
{"message":"Validation Failed","errors":[{"resource":"OauthAccess","code":"already_exists","field":"description"}],"documentation_url":"https://developer.github.com/v3/oauth_authorizations/#create-a-new-authorization"}
> POST https://api.github.com/authorizations
> Authorization: Basic [REDACTED]
{"scopes":["repo"],"note":"hub for [email protected] 5","note_url":"http://hub.github.com/"}

< HTTP 201
< Location: https://api.github.com/authorizations/28401173
{"id":28401173,"url":"https://api.github.com/authorizations/28401173","app":{"name":"hub for [email protected] 5","url":"http://hub.github.com/","client_id":"00000000000000000000"},"token":"[REDACTED]","hashed_token":"[REDACTED]","token_last_eight":"[REDACTED]","note":"hub for [email protected] 5","note_url":"http://hub.github.com/","created_at":"2016-02-22T15:18:00Z","updated_at":"2016-02-22T15:18:00Z","scopes":["repo"],"fingerprint":null}
> GET https://api.github.com/user
> Authorization: token [REDACTED]
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
> GET https://api.github.com/repos/apple/swift/pulls/862
> Authorization: token 
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
Error getting pull request: Unauthorized (HTTP 401)
Bad credentials

[shawnzhu]

It works for me after updating the oauth_token value within ~/.config/hub

[mislav]

@gparker42 Thanks for all that info. Do you still have a persistent issue, or did it go away?

[maxandersen]

I'm on hub version 2.2.3 and I have the exact same problem:

 env HUB_VERBOSE=1 hub browse                                                                        ⏎
$ git config alias.browse
$ git rev-parse -q --git-dir
$ git remote -v
$ git config hub.host
> GET https://api.github.com/user
> Authorization: token [REDACTED]
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
Error getting current user: Unauthorized (HTTP 401)
Bad credentials

I have no ~/.config/hub file.

[maxandersen]

what is the content that needs to go in ~/.config/hub ? if I could hand create that I would hope I could get pass this and actually get hub working again for me ;)

[maxandersen]

Tried writeup my own ~/.config/hub looking something like:

github.com:
- user: maxandersen
  oauth_token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  protocol: https

but still get same errors.

Also tried remove the oauth_token to hope it would re-auth but nope, still same errors about not being authorized.

[stevenharman]

I'm seeing the same thing. hub used to work fine, and stopped at some point. I'm finally getting around to figuring out why. I have no ~/.config/hub file.

cat ~/.config/hub
cat: /Users/[blah]/.config/hub: No such file or directory

The log from hub:

env HUB_VERBOSE=1 hub pull-request
$ git config alias.pull-request
$ git rev-parse -q --git-dir
$ git remote -v
$ git config hub.host
> GET https://api.github.com/user
> Authorization: token [REDACTED]
< HTTP 401
{"message":"Bad credentials","documentation_url":"https://developer.github.com/v3"}
Error getting current user: Unauthorized (HTTP 401)
Bad credentials

This suggests to me that a token is being found... somewhere. But I'm not sure where.

[cacrawford]

I had this same problem. Turns out I had set GITHUB_TOKEN in my .zshrc long ago, to a token that was no longer valid. Removing this fixed the issue.

[stevenharman]

@cacrawford, brilliant! Your suggestion led me to investigate the files I was sourcing in my ZSH setup. It turns out I had a .zlocal with my GITHUB_TOKEN set. Doh!

[strongwinderic]

where can I store the ~/.config/hub file when hub command is invoked through, for example, popen, vai python? since there is no ~directory, is there a global configuration for hub, to store the username and the token?

[c-geek]

@erictrade Have you found a solution for this?

[mislav]

where can I store the ~/.config/hub file when hub command is invoked through, for example, popen, vai python?

@erictrade Are you saying that in those cases, HOME environment variable isn't set? Hub wasn't designed to operate in such a case. Do you feel like it should?

[strongwinderic]

hi @c-geek and @mislav ! I edited weblate sources to workaround my problems, and it's working really good for me. I edited 2 files, to be exactly. It fixed 2 problems I was having. But this code is not really clean, because I hardcoded some strings for not knowing weblate full structure. Also, I needed to create the github repository, creating another method. I think I shoud creat it also on its base class, but I didn't because of our rush here. I can submit a pull request as is, so you can analyse the code, and refactor to get it cleaner. I can comment everything to show exactly why I changed, and why it's working now. Does it help anyway? If so, I'll fork the repository and submit a pull request, explaining everything. =)

[strongwinderic]

Just to be documented, I got the idea of how to fix it on this already closed issue on hub project: https://github.com/github/hub/issues/1164

[c-geek]

Well I finally managed to make it work, actually I was misunderstanding hub push behavior (no hub credential used) compared to hub pull-request (hub crediential used) along with other things commented on this weblate issue.

Anyway, @erictrade, putting yout solution could help future users crawling the web up to this issue!

[mislav]

@erictrade I'm not sure if I follow what your issue is. Is something a blocker for you? Did you solve it? Would you share your solution with us, maybe in the aforementioned thread if it's on-topic? Do you think many people are affected by this?

[strongwinderic]

I can share the piece of code here, and I can make a PR on weblate open source project, with the entire solution to my problem. About hub and popen, here is the trick:

        process = subprocess.Popen(
            args,
            cwd=cwd,
            env=get_clean_env({'GIT_SSH': ssh_file(SSH_WRAPPER),
                               'HUB_CONFIG': '/home/youruser/.config/hub'}),
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
        )

As it was a clean enviroment I was using, it could not find the hub config file. So, adding 'HUB_CONFIG': '/home/youruser/.config/hub' it works. Of course, hard coding this path is not a good solution, but the idea is exactly this. So, I guess the issue is not hub's problem, but the implementation when using it.

[mislav]

Does anyone still have a problem with 401 "Bad Credentials" error messages when using a recent version of hub? Otherwise I'm inclined to close this issue. Thanks everyone for your input!

[dbushong]

This fails for me with hub 2.2.8 on OSX 10.11.4 talking to an internal GHE host. When I wrote my own ~/.config/hub using @maxandersen 's comment as a template, and using an oauth token I generated from the Settings page myself, everything works fine.

[mislav]

@dbushong Does your GHE host allow authentication via username & password?

[dbushong]

Via the API? I'm not sure. We log into the website via an SSO front-door and do git operations via ssh. That might be the problem. Might want to add something to the docs about how to set up the ~/.config/hub file manually.

[mislav]

Yes that is a very common request with GHE. I'm going to add a command that helps you configure your GHE authentication by prompting you to paste a Personal Access token that you generated yourself. That will help a great deal, I think.

[maxandersen]

$ hub --version                                                           ⏎
git version 2.7.4 (Apple Git-66)
hub version 2.2.8
$ git co https://github.com/almighty/almighty-devdoc/pull/61
Error getting pull request: Unauthorized (HTTP 401)
Bad credentials
$ export GITHUB_TOKEN=<secret>
$  git co https://github.com/almighty/almighty-devdoc/pull/61
Updating ALRubinger
remote: Counting objects: 6, done.
remote: Compressing objects: 100% (6/6), done.
...

so afaik its still not fixed. hub always say i'm unauthorized and does not ask for setting up token/auth of any kind.

[mislav]

@maxandersen In the meantime, until hub implements re-authorization, can you just swap your token in ~/.config/hub with the one that you pasted as GITHUB_TOKEN?