GithubLoginHandler raises unhelpful error when GitHub app lacks permission to view email addresses #1471
Description
Describe the bug
When using Flower's GithubLoginHandler and the GitHub application lacks permission to view emails, the following errors will be raised:
Traceback (most recent call last):
File "/opt/venv/lib/python3.11/site-packages/tornado/web.py", line 1859, in _execute
result = await result
^^^^^^^^^^^^
File "/opt/venv/lib/python3.11/site-packages/flower/views/auth.py", line 125, in get
await self._on_auth(user)
File "/opt/venv/lib/python3.11/site-packages/flower/views/auth.py", line 140, in _on_auth
response = await self.get_auth_http_client().fetch(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
tornado.httpclient.HTTPClientError: HTTP 403: Forbidden
To Reproduce
Steps to reproduce the behavior:
- Follow the Flower docs
a. Create GitHub app (should not have email permissions by default)
b. Use the following config inflowerconfig.pyor equivalentc. Start Flowerauth = "email@example.com" auth_provider = "flower.views.auth.GithubLoginHandler" oauth2_key = **** oauth2_secret = **** oauth2_redirect_uri = "http://localhost:5555/login"
d. Try to log in to Flower, the above 403 error should be raised after you are redirected back from GitHub
Expected behavior
- A helpful error is raised when a 403 is raised when attempting to read emails from the GitHub app
- Docs are updated to reflect that the GitHub app must be configured with at least read-only permissions to email addresses under Account Permissions.
-
System information
flower -> flower:2.0.1 tornado:6.5.3 humanize:4.14.0
software -> celery:5.6.0 (recovery) kombu:5.6.1 py:3.11.14
billiard:4.2.4 py-amqp:5.1.1
platform -> system:Linux arch:64bit
kernel version:6.12.54-linuxkit imp:CPython
loader -> celery.loaders.app.AppLoader
settings -> transport:amqp results:disabled
deprecated_settings: None