Trying to add a user which does not exist as contributor using a user access token results in a 403 forbidden #201201
Replies: 4 comments
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
|
Yess : ( that 403 is totally misleading. It's essentially a "permission denied" error that the API throws because the UAT auth layer fails to resolve the nonexistent username against your app's installation scopes. It’s definitely a bug in the API's error-handling logic, since a classic PAT correctly returns a 404. As, you've already verified the UAT can see that the user doesn't exist via separate lookups, it's clearly not a security thing; just sloppy API design. Your only move is to keep doing that pre-check lookup in your code before hitting the PUT endpoint, so you can handle the 404 yourself and ignore their garbage 403. |
Beta Was this translation helpful? Give feedback.
-
|
This looks like inconsistent error mapping between classic PATs and fine-grained user access tokens (UATs) on the collaborators endpoint. What you are seeing
Why 403 instead of 404 with a UAT Since Practical workaround
If you want to report it Hope that helps! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
🏷️ Discussion Type
Bug
💬 Feature/Topic Area
API
Body
Endpoint:
PUT /repos/{owner}/{repo}/collaborators/{username}Trying to access the non-existent user using the UAT does result in the expected 404, same as the classic PAT.
Beta Was this translation helpful? Give feedback.
All reactions