fix: self-update silently failing with 403 since v0.38.5#303
Merged
Conversation
- send User-Agent and Accept headers when downloading release assets for checksum verification (GitHub returns 403 without a User-Agent and JSON metadata without Accept: application/octet-stream) - log auto-update failures instead of silently discarding them - run 'spotatui update' via spawn_blocking so reqwest::blocking cannot panic the async runtime
LargeModGames
force-pushed
the
fix/self-update-403
branch
from
5252398 to
47e60a1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Auto-update has been silently broken since v0.38.5 for every shipped client. Users on v0.38.5, v0.38.6, and v0.39.0 never receive updates, with no error shown anywhere.
Root cause
verify_release_checksum(added in a7c2d74, first shipped in v0.38.5) downloads the.sha256sidecar and the release asset with a barereqwestclient:User-Agentheader, and the GitHub API rejects such requests with 403 Forbidden. Reproduced with the released v0.38.6 binary:Error: HTTP status client error (403 Forbidden) for url (https://api.github.com/repos/LargeModGames/spotatui/releases/assets/...).Accept: application/octet-stream, so even with a User-Agent the asset API URL would return JSON metadata instead of the file.run_auto_updatethen swallowed the error with.ok().and_then(|r| r.ok()), which is why this went unnoticed for three releases. v0.38.4 (the first self-update release) had no verify step, so updates into 0.38.5/0.38.6 still worked.Changes
src/cli/update.rs: the verify client now sendsUser-Agent: spotatui/<version>andAccept: application/octet-streamon both asset downloads.src/runtime.rs: auto-update failures are logged withlog::warn!instead of being discarded, so the next regression is visible in the log file.src/runtime.rs:spotatui updatenow runs throughspawn_blockinglike the silent path. Callingreqwest::blockingmachinery on the async runtime thread can panic with "Cannot drop a runtime in a context where blocking is not allowed" (reproduced in a dev build; same crash signature as an older panic log).Verification
Built this branch with the version temporarily set to 0.38.6 and ran
update --installon a throwaway copy: it detected v0.39.0, passed checksum verification, downloaded, extracted, and replaced the binary with the exact release exe (17,045,504 bytes, matching the release zip).cargo fmt,clippy -D warnings(slim and slim+self-update), and all 251 tests pass.Note for release
Shipped clients 0.38.5 through 0.39.0 carry the broken verify in their own binaries, so they can never self-update regardless of what we publish. This fix needs to go out as v0.39.1, and users need one manual update (winget/brew/AUR/release download) to get there. Release notes should mention this.