Repository permission check fails (GET on /repository) #1146
Description
To reproduce:
- On
dev.renku.chwith DS version0.62.0 - Create a project
- Add a repository to it (e.g. https://github.com/SwissDataScienceCenter/renku-ui.git)
- Permission check shows a 500 error
Stack trace from the data service:
2025-12-17T16:15:24.628599 [ERROR] 22/MainThread sanic.error (error.py:203) [a87db5b3-9361-1d2f-a73b-fd574d3de756] - Exception occurred while handling uri: 'https://dev.renku.ch/api/data/repository?url=https%3A%2F%2Fgithub.com%2FSwissDataScienceCenter%2Frenku-ui.git'
Traceback (most recent call last):
File "/app/env/lib/python3.13/site-packages/cryptography/fernet.py", line 130, in _verify_signature
h.verify(data[-32:])
~~~~~~~~^^^^^^^^^^^^
cryptography.exceptions.InvalidSignature: Signature did not match digest.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "handle_request", line 100, in handle_request
Extend = TypeVar("Extend", type) # type: ignore
^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/base_api/auth.py", line 66, in decorated_function
response = await f(request, user1, user2, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/base_api/etag.py", line 42, in decorated_function
response = await f(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/repositories/blueprints.py", line 43, in _get_one_repository
result = await self.git_repositories_repo.get_repository(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...<4 lines>...
)
^
File "/app/env/lib/python3.13/site-packages/renku_data_services/repositories/db.py", line 76, in get_repository
await self._get_repository_authenticated_or_anonym(
connection_id=connection.id, client=provider, repository_url=valid_url, user=user, etag=etag
)
File "/app/env/lib/python3.13/site-packages/renku_data_services/repositories/db.py", line 207, in _get_repository_authenticated_or_anonym
result = await self._get_repository_authenticated(connection_id, repository_url, user, etag)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/repositories/db.py", line 185, in _get_repository_authenticated
oauth_client = await self.oauth_client_factory.for_user_connection_raise(user, connection_id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/connected_services/oauth_http.py", line 381, in for_user_connection_raise
client = await self.for_user_connection(user, connection_id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/connected_services/oauth_http.py", line 409, in for_user_connection
token = self.decrypt_token_set(token=connection.token, user_id=user.id)
File "/app/env/lib/python3.13/site-packages/renku_data_services/connected_services/oauth_http.py", line 607, in decrypt_token_set
result["access_token"] = crypt.decrypt_string(self._encryption_key, user_id, b64decode(result.access_token))
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/renku_data_services/utils/cryptography.py", line 36, in decrypt_string
return Fernet(key).decrypt(data).decode()
~~~~~~~~~~~~~~~~~~~^^^^^^
File "/app/env/lib/python3.13/site-packages/cryptography/fernet.py", line 89, in decrypt
return self._decrypt_data(data, timestamp, time_info)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/env/lib/python3.13/site-packages/cryptography/fernet.py", line 148, in _decrypt_data
self._verify_signature(data)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/app/env/lib/python3.13/site-packages/cryptography/fernet.py", line 132, in _verify_signature
raise InvalidToken
cryptography.fernet.InvalidToken
