Skip to content

[BUG]: Can't delete (revoke) OR refresh user token #2842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
1 task done
Debajyati opened this issue May 6, 2025 · 4 comments
Open
1 task done

[BUG]: Can't delete (revoke) OR refresh user token #2842

Debajyati opened this issue May 6, 2025 · 4 comments
Labels
Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented

Comments

@Debajyati
Copy link

Debajyati commented May 6, 2025

What happened?

I had built a CLI named gitfm in JavaScript a year ago using @octokit/rest and @octokit/oauth-methods of the @octokit npm packages.
Everything was great, all features and authentications were working perfectly fine for most of the time.

Recently, today I was using my app and tried to logout from my app (It is done by revoking the user token and then clearing the revoked token from local config file). It didn't work and threw an error.

The function (when called) which used to revoke the token uses this code -

await octokit.rest.apps.deleteToken({
  client_id: config.CLIENT_ID,
  access_token: storedToken,
});

This is the code of the complete function -

const revokeToken = async () => {
  try {
    const { default:input } = await import("../utils/input.js");
    const { default:chalk } = await import("chalk");
    const yesOrNo = await input(chalk.red("Are you sure you want to revoke the token? [y/N]"));
    if (yesOrNo.toLowerCase() !== "y") {
      console.log("Token revocation aborted.");
      return;
    }
    const { Octokit } = await import("@octokit/rest");
    const tokenFilePath = config.TOKEN_FILE;
    const storedToken = getStoredToken(tokenFilePath);

    if (!storedToken) {
      console.error("Error: Token not found.");
      console.error("You are not authenticated.");
      return;
    }

    const isValid = await checkTokenValidity(storedToken);
    if (!isValid) {
      console.log("Token is already expired. No need to revoke.");
      clearToken(tokenFilePath);
      return;
    }

    const authType = getStoredAuthType(tokenFilePath);
    if (authType !== "oauth") {
      console.log("Token type is not OAuth. Skipping revocation.");
      return;
    }

    const octokit = new Octokit({ auth: storedToken });

    // Attempt to revoke the token
    await octokit.rest.apps.deleteToken({
      client_id: config.CLIENT_ID,
      access_token: storedToken,
    });
    console.log("Token revoked successfully!");

    clearToken(tokenFilePath);
  } catch (error) {
    console.error("An error occurred while revoking the token:", error.message);
    process.exit(1);
  }
};

Previously it used to execute successfully without any error.

Now, this throws error (image below) -

The Error occurs when trying to revoke the token

This should work. If not, then I think it will be good if you people kindly keep the docs up to date.

Reference - GitHub REST API DOCUMENTATION - Delete An App Token

The same happend when I try to reset the currently active token. Code of my function which refreshes a token -

const refreshToken = async () => {
  try {
    const { Octokit } = await import("@octokit/rest");
    const tokenFilePath = config.TOKEN_FILE;
    const storedToken = getStoredToken(tokenFilePath);
    if (!storedToken) {
      console.error("Error: Token not found.");
      console.error("You are not authenticated.");
      return;
    }

    const isValid = await checkTokenValidity(storedToken);
    if (!isValid) {
      console.log("Token is already expired/invalid. Can't refresh.");
      return;
    }

    const authType = getStoredAuthType(tokenFilePath);
    if (authType !== "oauth") {
      console.log("Token type is not OAuth. Skipping refresh.");
      return;
    }

    const octokit = new Octokit({ auth: storedToken });

    // Attempt to refresh the token
    const { token: newToken } = await octokit.request(
      `PATCH /applications/{client_id}/token`,
      {
        client_id: config.CLIENT_ID,
        access_token: storedToken,
        headers: {
          accept: "application/vnd.github+json",
          "X-GitHub-Api-Version": "2022-11-28",
        },
      },
    );
    console.log("Token refreshed successfully!");
    saveToken({ token: newToken, type: "oauth" }, tokenFilePath);
  } catch (error) {
    console.error(
      "An error occurred while refreshing the token:",
      error.message,
    );
    process.exit(1);
  }
};

It is now failing the same way.

404 Error on attempt to refresh the user token

Versions

@octokit/[email protected]
@octokit/[email protected]
nodejs v20.18.2

Code of Conduct

  • I agree to follow this project's Code of Conduct
@Debajyati Debajyati added Type: Bug Something isn't working as documented Status: Triage This is being looked at and prioritized labels May 6, 2025
Copy link

github-actions bot commented May 6, 2025

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@wolfy1339
Copy link
Member

Are you passing the client_secret option? It seems like that would make it fail

@Debajyati
Copy link
Author

No I am not sending the client secret.
I used oauth device flow for login so I didn't even generate one client secret since I created the oauth application. I implemented login using only client id and for deleting and to reset tokens I am using the token and client id.

@Debajyati
Copy link
Author

What should I do now?

Any solution?

@nickfloyd nickfloyd moved this from 🆕 Triage to 🔥 Backlog in 🧰 Octokit Active Jun 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented
Projects
Status: 🔥 Backlog
Development

No branches or pull requests

2 participants