utterances icon indicating copy to clipboard operation
utterances copied to clipboard

Published 20 hours ago verified publisher icon utterance

Labels are not applied to issues created by Utterances

Open thomaslevesque opened this issue 4 years ago • 15 comments

I have integrated Utterances like this:

    <script src="https://utteranc.es/client.js"
            repo="thomaslevesque/blog"
            issue-term="pathname"
            label="post-comment"
            theme="github-light"
            crossorigin="anonymous"
            async>
    </script>

It works fine, except that the post-comment label is not applied to issues. It worked the first time I tried it (see this issue -- there isn't actually a comment because I deleted it), but since then Utterances never applied the label.

Note: the only time it worked, I was the one commenting. Could this be because I'm the repo owner?

thomaslevesque avatar May 11 '20 08:05 thomaslevesque

I'm curious about this too.

jrmiller82 avatar May 12 '20 01:05 jrmiller82

That's really strange. I reproduced the issue on your blog here: https://thomaslevesque.com/2019/07/15/using-typescript-to-write-cosmos-db-stored-procedures-with-async-await/

But I'm unable to reproduce locally in my test repo. @jrmiller82 are you seeing the same issue?

jdanyow avatar May 12 '20 03:05 jdanyow

@jdanyow I had not set up the "label" attribute yet. I think the utterances website needs get updated as it looks like it's giving graphical configuration advice when all the app lets you do is pick which repo it attaches to. (I'm referring to this link: https://utteranc.es/)

I came to the issues here and saw this issue; I will try adding in the "label" field on my next deployment.

jrmiller82 avatar May 12 '20 03:05 jrmiller82

But I'm unable to reproduce locally in my test repo.

But you're the repo owner, so maybe it works in that case. Is there a page where I can post a comment to test it?

thomaslevesque avatar May 12 '20 07:05 thomaslevesque

It worked fine (but I'm the repo owner too). I'll have to get someone to try and initiate a new issue.

jrmiller82 avatar May 13 '20 19:05 jrmiller82

Ok, if a brand new comment (Github issue) is created by anyone other than the repo owner, the label is not applied.

jrmiller82 avatar May 13 '20 19:05 jrmiller82

The only time it worked for me is when I was the one commenting on my own repo. And the label was applied on my behalf:

image

If Utterances tries to apply the comment on behalf of the user posting the comment, it makes sense that it only works for the repo owner (since other users don't have permission to label issues).

thomaslevesque avatar May 13 '20 19:05 thomaslevesque

OK, I'm not sure I understand everything in the code, but I think I might be onto something...

The issue is created by @utterances-bot, which is authenticated with its own token, like this:

https://github.com/utterance/utterances-oauth/blob/d7d294461a01d902005a5c7b511eb23db07aa6d9/src/routes.ts#L199

However, to apply the label, utterances uses the commenter's authorization header, like this:

https://github.com/utterance/utterances-oauth/blob/d7d294461a01d902005a5c7b511eb23db07aa6d9/src/routes.ts#L211

So, it uses the commenter's identity to apply the label, which probably fails because that user doesn't have permissions to apply the label. I suspect that the error is somehow swallowed by fetchEvent.waitUntil.

Anyway, maybe the fix is as simple as using 'token ' + settings.bot_token instead of authorization, to apply the label under the identity of @utterances-bot?

I'm not sure if that makes sense... I don't know Typescript very well.

thomaslevesque avatar May 13 '20 20:05 thomaslevesque

Anyway, maybe the fix is as simple as using 'token ' + settings.bot_token instead of authorization, to apply the label under the identity of @utterances-bot?

I think there would be a security problem with this approach. The label is specified in the client-side HTML, so the user could make utterances add arbitrary labels to created issues by modifying that HTML.

phil-opp avatar May 14 '20 08:05 phil-opp

@phil-opp very good point! Maybe the label should be specified in utterances.json instead In fact, the same is true of other parameters, like issue-term.

thomaslevesque avatar May 14 '20 08:05 thomaslevesque

Sounds like a good idea!

phil-opp avatar May 14 '20 08:05 phil-opp

Could utterances.json be set by site owner?

sdmgeek avatar Jun 20 '20 03:06 sdmgeek

Well spotted!

Personally, I think the least intrusive modification is to let users pick from a predefined list of possible labels (like how issueTerm works). Because currently utterances.json is optional, and making it required would make setup less straight forward.

I feel like many trade-offs (e.g. not jumping to comment section after login) have already been made to keep the installation at merely a script tag.

@sdmgeek Yes, utterances request the file from the repository housing your comments.

WeixuanZ avatar Aug 02 '20 00:08 WeixuanZ

are there any updates on this one? I'm having the exact same issue

vorant94 avatar Oct 07 '23 10:10 vorant94

Ok, if a brand new comment (Github issue) is created by anyone other than the repo owner, the label is not applied.

Exactly, but most of the time we owner is not going to create the issue, might all by our readers, so this is annoying and confusing.

I add the label myself every time I get emailed. This is not bad, but hope next version that is gonna to be fixed.

Last thing, utterances system is good to use! LOL

DavidingPlus avatar Aug 18 '24 02:08 DavidingPlus