It seems that all the request headers, including the JWT token, are returned in the error response. The following snippet will log the whole request when an error occurs.
itr, err := ghinstallation.NewKeyFromFile(tr, 1234, 1245, "/tmp/key.pem"))
if err != nil {
panic(err)
}
gh := github.NewClient(&http.Client{Transport: itr})
_, _, err = gh.Octocat(context.TODO(), "foo")
if err != nil {
log.Println(err)
}
Error message - with redacted Authorization header.
2024/12/13 12:44:01 Get "https://api.github.com/octocat?s=foo": could not refresh installation id 1245's token: request &{Method:POST URL:https://api.github.com/app/installations/1245/access_tokens Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[application/vnd.github.machine-man-preview+json application/vnd.github.machine-man-preview+json] Authorization:[Bearer <REDACTED>] Content-Type:[application/json]] Body:{Reader:} GetBody:0x1042d0d80 ContentLength:5 TransferEncoding:[] Close:false Host:api.github.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil> Cancel:<nil> Response:<nil> Pattern: ctx:{emptyCtx:{}} pat:<nil> matches:[] otherValues:map[]} received non 2xx response status &{[] {%!q(*http.http2clientStream=&{0x14000244000 {{}} <nil> <nil> 1 {{0 0} {{} 0x140002441b0 {0 0 0 <nil> <nil>} 1374391910888} 0x140000a2040 0 0x10462a2d0 <nil> <nil> 0x1042ee750} true false {{{} 0} {0 0}} 0x14000024310 <nil> 0x140000242a0 0x140000243f0 <nil> 0x14000024380 0x140000c0000 {[] 67108864 0x14000244068} {4194197 0} -1 <nil> 0x1400013e4f8 5 0x140000c4000 true true true true false 0 true false map[] 0x140000c0078})} %!q(*gzip.Reader=<nil>) <nil>} with body &{Method:POST URL:https://api.github.com/app/installations/1245/access_tokens Proto:HTTP/1.1 ProtoMajor:1 ProtoMinor:1 Header:map[Accept:[application/vnd.github.machine-man-preview+json application/vnd.github.machine-man-preview+json] Authorization:[Bearer <REDACTED>] Content-Type:[application/json]] Body:{Reader:} GetBody:0x1042d0d80 ContentLength:5 TransferEncoding:[] Close:false Host:api.github.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr: RequestURI: TLS:<nil> Cancel:<nil> Response:<nil> Pattern: ctx:{emptyCtx:{}} pat:<nil> matches:[] otherValues:map[]} and TLS &{Version:772 HandshakeComplete:true DidResume:false CipherSuite:4865 NegotiatedProtocol:h2 NegotiatedProtocolIsMutual:true ServerName:api.github.com PeerCertificates:[0x14000220588 0x14000220b08 0x14000221088] VerifiedChains:[[0x14000221608 0x14000221b88 0x14000222108]] SignedCertificateTimestamps:[] OCSPResponse:[] TLSUnique:[] ECHAccepted:false ekm:0x1042894b0 testingOnlyDidHRR:false testingOnlyCurveID:29}
This issue seems to be related to GHSA-h4q8-96p6-jcgr.
It seems that all the request headers, including the JWT token, are returned in the error response. The following snippet will log the whole request when an error occurs.
Error message - with redacted
Authorizationheader.This issue seems to be related to GHSA-h4q8-96p6-jcgr.