failed to initialize provider, error: failed creating Gitea client: 403 Forbidden

[viceice]

Since Gitea upgrade from v1.19 to v1.20 i get this error. 😕

failed to initialize provider, error: failed creating Gitea client: 403 Forbidden

notification-controller/internal/notifier/gitea.go

Line 69 in b80c2c4

return nil, fmt.Errorf("failed creating Gitea client: %w", err)

I know they changed the api key scopes¹, but the key still has repo write scope. My current key was created on v1.19.x with repo scope.
It had these scopes:

• repo
• repo:status
• read:package

It's now converted to these scopes:

• read:package
• write:repository

Gitea log message:

2023/07/21 06:48:51 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/version for a.b.c.d:0, 403 Forbidden in 58.3ms @ v1/api.go:242(v1.tokenRequiresScopes)

Please let me know how to debug this futher. Are there any option to pass additional debug messages?

Footnotes

1. https://blog.gitea.com/release-of-1.20.0/#%EF%B8%8F-refactored-scoped-tokens-mechanism-24767 ↩

[makkes]

What is the exact error you're getting? I just upgrade to Gitea 1.20 and it's working fine with an existing token.

[viceice]

there is no other error. btw the apikey had repo scope only before the Gitea upgrade and was working fine.

btw: I also updated flux from v2 rc to v2.0.1 today. maybe there has something changed too?

[makkes]

there is no other error.

You still haven't pasted the error you're seeing into this issue. The only thing you did was post a link to the source code where that error supposedly originates. Pasting the actual error you're seeing may help understanding what's causing it.

btw: I also updated flux from v2 rc to v2.0.1 today. maybe there has something changed too?

I tried 2.0.1 and didn't run into any issues.

[viceice]

sorry, the error is the issue title

[viceice]

btw: I also updated flux from v2 rc to v2.0.1 today. maybe there has something changed too?

I tried 2.0.1 and didn't run into any issues.

Are you using a token with full rights or a repo scoped?

Did you created the token before updating Gitea to v1.20?

[makkes]

btw: I also updated flux from v2 rc to v2.0.1 today. maybe there has something changed too?

I tried 2.0.1 and didn't run into any issues.

Are you using a token with full rights or a repo scoped?

Did you created the token before updating Gitea to v1.20?

I created the Token on Gitea 1.18 so there was no way to choose its scope. After the upgrade to 1.20 it shows this scope:

Repository and Organization Access: All (public, private, and limited)
Permissions:
    all

[viceice]

so it seems to be an issue with the scopes, as the same token works fine for fetching the repo from flux.

maybe some new scope is needed to initialize the Gitea client. do you know which calls it does ?

will also check the Gitea logs to hopefully find the failed requests.

[makkes]

What scope does the token you use (the one that doesn't work) have?

[makkes]

@viceice Please supply as much information as possible on your issue and environment. Otherwise we will have to ask for each and every bit of information and won't be able to make any reasonable progress getting to the bottom of your problem.

[viceice]

ok, will extend the issue description tomorrow

[viceice]

Updated body. It seems the /api/v1/version isn't allowed with that token. 😕

[viceice]

It seems we now need misc scope

[makkes]

That is indeed interesting. We should definitely document the necessary minimum scopes. Thanks for digging into this. I just verified that the following scopes are necessary to make the provider work:

• read:misc
• write:repository

[viceice]

yes, I've added read:packages to allow flux fetching docker / oci stuff from Gitea 😉

[viceice]

it seems misc is no longer necessary since v1.20.2

go-gitea/gitea#26035