Relay GitHub API error messages to the user on auth failures#12737
Merged
Conversation
When a GitHub API request fails with 401/403, Composer now extracts and displays the error message from GitHub's JSON response body. Previously, the error message would only suggest reviewing the OAuth token or creating one to access private repos, even when the actual issue was something else entirely (e.g. organization token policy restrictions). Fixes composer#12711
Member
|
Thanks |
mwalbeck
pushed a commit
to mwalbeck/docker-composer
that referenced
this pull request
Apr 26, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [composer/composer](https://github.com/composer/composer) | patch | `2.9.5` → `2.9.7` | --- ### Release Notes <details> <summary>composer/composer (composer/composer)</summary> ### [`v2.9.7`](https://github.com/composer/composer/blob/HEAD/CHANGELOG.md#297-2026-04-14) [Compare Source](composer/composer@2.9.6...2.9.7) - Fixes regression calling custom script command aliases that are called a substring of a composer command ([#​12802](composer/composer#12802)) ### [`v2.9.6`](https://github.com/composer/composer/blob/HEAD/CHANGELOG.md#296-2026-04-14) [Compare Source](composer/composer@2.9.5...2.9.6) - Security: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261) - Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176) - Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed ([`2bcbfc3`](composer/composer@2bcbfc3d)) - Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing ([`5e71d77`](composer/composer@5e71d77e)) - Security: Fixed Perforce unescaped user input in queryP4User shell command ([`ef3fc08`](composer/composer@ef3fc088)) - Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with `-` do not cause issues ([`6621d45`](composer/composer@6621d45), [`d836b90`](composer/composer@d836b90), [`5e08c76`](composer/composer@5e08c764)) - Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading ([#​12758](composer/composer#12758)) - Fixed GitHub API authentication errors not being visible to the user ([#​12737](composer/composer#12737)) - Fixed some platform package parsing failing when Composer runs in web SAPIs ([#​12735](composer/composer#12735)) - Fixed error reporting for clarity when a constraint cannot be parsed ([#​12743](composer/composer#12743)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDQuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEwNC40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Reviewed-on: https://git.walbeck.it/mwalbeck/docker-composer/pulls/1130 Co-authored-by: renovate-bot <[email protected]> Co-committed-by: renovate-bot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When a GitHub API request fails with 401/403, Composer now extracts and displays the actual error message from GitHub's JSON response body instead of showing a generic message about reviewing OAuth tokens or accessing private repos.
Problem
As described in #12711, when GitHub returns specific error messages like:
organization forbids access via a personal access token (classic)organization forbids access via fine-grained personal access tokens if the token's lifetime is greater than 366 daysComposer would only show a generic message suggesting to review your GitHub OAuth token or create one to access private repos. This made it very difficult to diagnose the actual issue.
Solution
Added an optional
$responseBodyparameter toAuthHelper::promptAuthIfNeeded(). For GitHub domains, when a 401/403 response is received (and it's not a rate limit or SSO issue), the method now attempts to decode the JSON response body and extract themessagefield from GitHub's API response.The extracted message is then displayed to the user, providing accurate information about why the request failed.
Changes
src/Composer/Util/AuthHelper.php: Added$responseBodyparameter and GitHub API error message extraction logicsrc/Composer/Util/Http/CurlDownloader.php: Pass response body topromptAuthIfNeeded()Fixes #12711