Avatars of private projects fail to load with OAuth

[TheTimeWalker]

Currently, when using the integration over OAuth with the scopes api, read_user, read_api and read_repository, the project avatars still fail to load with a 401 Unauthorized response by the Gitlab instance.

Version: Nextcloud 20.0.0 PHP: 7.4

Error log:

[index] Error: GuzzleHttp\Exception\ClientException: Client error: `GET https://gitlab.com/uploads/-/system/project/avatar/8711754/gitlab-projectname.png` resulted in a `401 Unauthorized` response:
You need to sign in or sign up before continuing.
 at <<closure>>

 0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 65
    GuzzleHttp\Exception\RequestException::create(GuzzleHttp\Psr7\Request {}, "*** sensitive parameter replaced ***")
 1. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 203
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 2. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 156
    GuzzleHttp\Promise\Promise::callHandler(1, "*** sensitive parameter replaced ***", [GuzzleHttp\Prom ... l])
 3. /var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php line 47
    GuzzleHttp\Promise\Promise::GuzzleHttp\Promise\{closure}("*** sensitive parameters replaced ***")
 4. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 246
    GuzzleHttp\Promise\TaskQueue->run(true)
 5. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 223
    GuzzleHttp\Promise\Promise->invokeWaitFn()
 6. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 267
    GuzzleHttp\Promise\Promise->waitIfPending()
 7. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 225
    GuzzleHttp\Promise\Promise->invokeWaitList()
 8. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 62
    GuzzleHttp\Promise\Promise->waitIfPending()
 9. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 183
    GuzzleHttp\Promise\Promise->wait()
10. /var/www/html/lib/private/Http/Client/Client.php line 233
    GuzzleHttp\Client->request("get", "https://gitlab. ... g", {verify: "/var/w ... e})
11. /var/www/html/custom_apps/integration_gitlab/lib/Service/GitlabAPIService.php line 319
    OC\Http\Client\Client->get("https://gitlab. ... g")
12. /var/www/html/custom_apps/integration_gitlab/lib/Controller/GitlabAPIController.php line 85
    OCA\Gitlab\Service\GitlabAPIService->getGitlabAvatar("https://gitlab. ... g")
13. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 169
    OCA\Gitlab\Controller\GitlabAPIController->getGitlabAvatar("https://gitlab. ... g")
14. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OCA\Gitlab\Contr ... "}, "getGitlabAvatar")
15. /var/www/html/lib/private/AppFramework/App.php line 152
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\Gitlab\Contr ... "}, "getGitlabAvatar")
16. /var/www/html/lib/private/Route/Router.php line 308
    OC\AppFramework\App::main("OCA\\Gitlab\\Co ... r", "getGitlabAvatar", OC\AppFramework\ ... {}, {action: null,_r ... "})
17. /var/www/html/lib/base.php line 1009
    OC\Route\Router->match("/apps/integration_gitlab/avatar")
18. /var/www/html/index.php line 37
    OC::handleRequest()

GET /apps/integration_gitlab/avatar?url=https%3A%2F%2Fgitlab.com%2Fuploads%2F-%2Fsystem%2Fproject%2Favatar%2F8711754%2Fgitlab-projectname.png
from 147.88.200.100 by Tony at 2020-10-09T09:08:10+00:00

[julien-nc]

Thanks for the feedback!

Yeah well the avatar URL can't be accessed even providing authentication header. You can checkout the priv-proj-avatar branch if you want to see it with your own eyes. Here is the interesting commit : https://github.com/nextcloud/integration_gitlab/commit/f014b9946b35169d4aaa7e305da1cb70e6bb2b3e

So, until we find a way to access avatars of private projects, avatars are not requested if visibility is "private". So at least the error will not pop anymore.

[julien-nc]

The API documentation does not mention a way to get avatars for private repos (or I didn't find it).

[TheTimeWalker]

Thank you, you're right. This seems to be a regression by Gitlab itself as you should be able to pass the private token by adding it in the URL. The corresponding issue is here: https://gitlab.com/gitlab-org/gitlab/-/issues/25498

[julien-nc]

Thanks for linking the corresponding issue! I subscribed to it :smile:.

So in case they fix it, the fix is sleeping in the priv-proj-avatar banch.