Migrating private github → Gitea via API, auth_token is not respected (reopen 14790)

[bodhi-one]

Description

• We are in a corporate environment with ldap/saml in use.

• We can't use a password for mirroring as they change every few weeks.

• We only have personal access tokens

• The solution proposed in # 14790 by [milichev] for providing auth_username and auth_password in the mirror json does not work when providing the personal access token in the auth_password field

• The github personal access token for this testing has wide privileges including: repo, workflow, write:packages

Submitted json from a python project:
{"repo_name": "someProject", "description": "someProject", "clone_addr": "https://redactedPersonalAccessToken@github.someCompany.net/someOrgName/someProject.git", "mirror": true, "private": false, "uid": 1, "auth_username": "someUser", "auth_password": "redactedPersonalAccessToken"}

Response from docker log -f giteaprocess:
2023/04/06 16:42:05 Completed POST /api/v1/repos/migrate 422 Unprocessable Entity in 62.3021ms
2023/04/06 16:42:07 Started POST /api/v1/repos/migrate for redacted:61030
2023/04/06 16:42:07 Completed POST /api/v1/repos/migrate 422 Unprocessable Entity in 59.4336ms
2023/04/06 16:42:09 Started POST /api/v1/repos/migrate for redacted:61030
2023/04/06 16:42:09 Completed POST /api/v1/repos/migrate 422 Unprocessable Entity in 60.0725ms
2023/04/06 16:42:11 Started POST /api/v1/repos/migrate for redacted:61030
2023/04/06 16:42:11 Completed POST /api/v1/repos/migrate 422 Unprocessable Entity in 64.5274ms

• The target repo is resolved via docker extra_hosts setting.

• We tested connectivity for using the personal access token from within the running gitea container and it works correctly.
  ...
  "visibility": "private",
  "forks": 0,
  "open_issues": 0,
  "watchers": 0,
  "default_branch": "master",
  "permissions": {
  "admin": false,
  "maintain": true,
  "push": true,
  "triage": true,
  "pull": true
  }
  }
  ]
  abbdc471d404:/# curl -s -H "Authorization: Token someToken" "https://api.github.someCompany.net/orgs/someOrganization/repos"

gitea ChangeLog (1.19.0):

Looked at the changelog here https://github.com/go-gitea/gitea/blob/main/CHANGELOG.md
This implies 'scoped tokens' are supported, but does not appear to be so in this case (or perhaps this is support for generation of gitea tokens.)

• We need to be able to use github access tokens for mirroring from github to gitea.

"SECURITY
...
Support scoped access tokens (#20908)"

Gitea Version

1.19.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

1.19.0

Operating System

linux

How are you running Gitea?

Inside of docker container from gitea/gitea:1.19.0

Database

SQLite

[bodhi-one]

Ok, 3 weeks and no comments. We have moved onto gogs which can handle the tokens.

[jolheiser]

This works for me on try (with my own private repo), although I removed uid: 1 as it's a deprecated option.

I see you have moved on, but in case anyone else experiences this I think we'd need more information or a way to reproduce and debug.