[BUG]: Can't delete (revoke) OR refresh user token

[Debajyati]

What happened?

I had built a CLI named gitfm in JavaScript a year ago using @octokit/rest and @octokit/oauth-methods of the @octokit npm packages.
Everything was great, all features and authentications were working perfectly fine for most of the time.

Recently, today I was using my app and tried to logout from my app (It is done by revoking the user token and then clearing the revoked token from local config file). It didn't work and threw an error.

The function (when called) which used to revoke the token uses this code -

await octokit.rest.apps.deleteToken({
  client_id: config.CLIENT_ID,
  access_token: storedToken,
});

This is the code of the complete function -

const revokeToken = async () => {
  try {
    const { default:input } = await import("../utils/input.js");
    const { default:chalk } = await import("chalk");
    const yesOrNo = await input(chalk.red("Are you sure you want to revoke the token? [y/N]"));
    if (yesOrNo.toLowerCase() !== "y") {
      console.log("Token revocation aborted.");
      return;
    }
    const { Octokit } = await import("@octokit/rest");
    const tokenFilePath = config.TOKEN_FILE;
    const storedToken = getStoredToken(tokenFilePath);

    if (!storedToken) {
      console.error("Error: Token not found.");
      console.error("You are not authenticated.");
      return;
    }

    const isValid = await checkTokenValidity(storedToken);
    if (!isValid) {
      console.log("Token is already expired. No need to revoke.");
      clearToken(tokenFilePath);
      return;
    }

    const authType = getStoredAuthType(tokenFilePath);
    if (authType !== "oauth") {
      console.log("Token type is not OAuth. Skipping revocation.");
      return;
    }

    const octokit = new Octokit({ auth: storedToken });

    // Attempt to revoke the token
    await octokit.rest.apps.deleteToken({
      client_id: config.CLIENT_ID,
      access_token: storedToken,
    });
    console.log("Token revoked successfully!");

    clearToken(tokenFilePath);
  } catch (error) {
    console.error("An error occurred while revoking the token:", error.message);
    process.exit(1);
  }
};

Previously it used to execute successfully without any error.

Now, this throws error (image below) -

This should work. If not, then I think it will be good if you people kindly keep the docs up to date.

Reference - GitHub REST API DOCUMENTATION - Delete An App Token

The same happend when I try to reset the currently active token. Code of my function which refreshes a token -

const refreshToken = async () => {
  try {
    const { Octokit } = await import("@octokit/rest");
    const tokenFilePath = config.TOKEN_FILE;
    const storedToken = getStoredToken(tokenFilePath);
    if (!storedToken) {
      console.error("Error: Token not found.");
      console.error("You are not authenticated.");
      return;
    }

    const isValid = await checkTokenValidity(storedToken);
    if (!isValid) {
      console.log("Token is already expired/invalid. Can't refresh.");
      return;
    }

    const authType = getStoredAuthType(tokenFilePath);
    if (authType !== "oauth") {
      console.log("Token type is not OAuth. Skipping refresh.");
      return;
    }

    const octokit = new Octokit({ auth: storedToken });

    // Attempt to refresh the token
    const { token: newToken } = await octokit.request(
      `PATCH /applications/{client_id}/token`,
      {
        client_id: config.CLIENT_ID,
        access_token: storedToken,
        headers: {
          accept: "application/vnd.github+json",
          "X-GitHub-Api-Version": "2022-11-28",
        },
      },
    );
    console.log("Token refreshed successfully!");
    saveToken({ token: newToken, type: "oauth" }, tokenFilePath);
  } catch (error) {
    console.error(
      "An error occurred while refreshing the token:",
      error.message,
    );
    process.exit(1);
  }
};

It is now failing the same way.

Versions

@octokit/[email protected]
@octokit/[email protected]
nodejs v20.18.2

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

[wolfy1339]

Are you passing the client_secret option? It seems like that would make it fail

[Debajyati]

No I am not sending the client secret.
I used oauth device flow for login so I didn't even generate one client secret since I created the oauth application. I implemented login using only client id and for deleting and to reset tokens I am using the token and client id.

[Debajyati]

What should I do now?

Any solution?