Successive requests return RequestError [HttpError] [...] bad_verification_code

[raimundo-henriques]

Hello everyone!

I am trying to run successive requests with one octokit instance and on the second request I'm getting this error:

RequestError [HttpError]: The code passed is incorrect or expired. (bad_verification_code, https://docs.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code)

I'm using Next.js, passing the code from the frontend to an API route. Here's the code of the API route:

import type { NextApiRequest, NextApiResponse } from "next";
import { createOAuthUserAuth } from "@octokit/auth-oauth-user";
import { Octokit } from "@octokit/rest";

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  const { code } = req.body;

// Logs the expected code
  console.log("code", code);

  const octokit = new Octokit({
    authStrategy: createOAuthUserAuth,
    auth: {
      clientId: process.env.NEXT_PUBLIC_CLIENT_ID,
      clientSecret: process.env.CLIENT_SECRET,
      code,
    },
  });

// First request
// Copied over from the documentation, at https://github.com/octokit/auth-oauth-user.js#usage-with-octokit
  const {
    data: { login },
  } = await octokit.rest.users.getAuthenticated();
// Logs my GitHub username, as expected
  console.log("Hello, %s!", login);

// Second request
// Throws an error
await octokit.rest.git.getRef({
    owner: "sine-fdn",
    repo: "tandem",
    ref: "heads/main",
  });

  res.status(200).json({ data: `${req.body}` });
}

I am new to octokit, so I am sorry if I'm missing something that should be clear.

Thank you very much for your work and for your attention!

[gr2m]

I'll try to reproduce the problem.

For the time being, given that you are building a request handler, you might be interested in https://github.com/octokit/app.js or https://github.com/octokit/oauth-app.js (if you are only interested in the OAuth routes), these SDKs will make things a little easier for you

[raimundo-henriques]

Thank you for your reply!

It worked using https://github.com/octokit/oauth-app.js (using getUserOctokit()), so I guess that's what I should be using.

I hope that my issue might nevertheless be useful!

Thanks again!

[Drew-Kimberly]

Can confirm the errant behavior described in this issue using the Octokit constructor with createOAuthUserAuth auth strategy

[ProLoser]

I also ran into this problem based on the instructions found here https://github.com/octokit/auth-oauth-user.js/#usage-with-octokit this is honestly one of the most headache-inducing documentation scenarios I've encountered. there's so many ways to use octokit that none of the documentation is consistent and the internals are super obfuscated with verbose typescript