通过 Node.js 提供私有 GitHub 发布下载

Question

I've been trying to make the ability to download a private release from a private website for a client.

Using Node.JS I can use my personal access token to request all the releases, and importantly all the assets inside of that. Download URL works well but still requires the user to be logged into Github.com to access the file.

Request made on my Node API, which is then served to the frontend (to hide the Personal Access Token.)

const {data} = await axios.get("https://api.github.com/repos/<company>/<repo>/releases", {
    auth: {
        username: 'LukeXF',
        password: '<key>'
    }
})

So, I'm either:

1. Trying to download the file directly from the GitHub URL with a short-lived token,
2. Trying to load the file through my node API and then download from the node API express endpoint (my API has authentication for users, no issue there); or,
3. Going to run a script that when a release is published, the assets of the release are also uploaded to GCP (Google Cloud Platform)

Results so far:

1. I can't seem to get the GitHub URL to support inline authentication eg https://github.com/<company>/<repo>/releases/download/${asset}?accessToken=<key> , which I didn't expect to work anyway, and also is a security vulnerability exposing the token like that.

2. Using the Node API as a middle man, I've got it working in parts, but can't seem to get the encoding or user agent working correct, or there are issues with the authentication (which is odd because the first request for the JSON file works without issues).

const fullUrl = `https://github.com/<company>/<repo>/releases/download/${asset}`;
const {data} = await axios.get(fullUrl, {
    headers: {
        'Accept': 'application/octet-stream',
        // 'User-Agent': 'request module',
    },
    // encoding: null,
    auth: {
        username: 'LukeXF',
        password: '<key>'
        // token: '<key>'
    }
});

3. Ideally trying to avoid this if possible as it would duplicate my releases. I would be looking at release triggers or a CRON job to check for new releases before running a script to upload them to GCP.

Any guidance on downloading private release assets from GitHub through Node.js? I understand if the repo/releases were public then this wouldn't be an issue but it can't be made public. Perhaps I might need to host my repos on another platform I'm using Electron's auto-updater with private GitHub releases already, I just need to make the ability to manual download releases rather than automated.

Answer 1

If you're using a personal token, you can use Authorization http header to authenticate using the api, see this :

const axios = require("axios");

const key = "YOUR_TOKEN";

(async () => {
  //get releases
  const { data } = await axios.get(
    "https://api.github.com/repos/OWNER/REPO/releases",
    {
      headers: {
        Authorization: `Token ${key}`,
      },
    }
  );
  console.log(data);
})();

The following script will download all assets from the latest release and save those assets to local files:

const axios = require("axios");
const fs = require("fs");

const key = "YOUR_TOKEN";
const authHeaders = {
  Authorization: `Token ${key}`,
};
const repoWithOwner = "bertrandmartel/test-repo";

(async () => {
  //get latest release
  var response = await axios.get(
    `https://api.github.com/repos/${repoWithOwner}/releases/latest`,
    {
      headers: authHeaders,
    }
  );
  var assets = response.data.assets;
  for (var i = 0; i < assets.length; i++) {
    console.log(assets[i].url);
    response = await axios({
      method: "get",
      url: assets[i].url,
      responseType: "stream",
      headers: {
        Accept: "application/octet-stream",
        ...authHeaders,
      },
    });
    response.data.pipe(fs.createWriteStream(assets[i].name)); //write asset to file
  }
})();

Also, there is octokit github client for JS