Composer [UnexpectedValueException] error will trying to use composer to install a github project
Matthew Martinez 
I am trying to install a github project using composer and get the following error
Composer [UnexpectedValueException] Your Github oauth token for github.com contains invalid characters: ""
Can anyone explain what I need to do to correct this error?
I am using the following command
composer create-project --prefer-dist --stability=dev vova07/yii2-start yii2-start
Thank you
113 Answers
I started getting a similar error and the reason was that Github recently changed the format of their auth tokens:
To resolve the error:
- Find the
composer/auth.jsonfile (if you're running the project in a container, you'll have to bash into it and find the file in there) - Remove its
github.comentry. Your file will probably look like the following after removing the entry:{"github-oauth": {}} - Run
composer self-update. The issue got resolved in version2.0.12. See the first item in the changelog for that version here:
After that, you can restore your composer/auth.json file to its initial state as the newer version of composer will recognize the new key format.
You can try Basic Auth instead:
Change this (oauth):
"github-oauth": { "github.com": "ghp_[YOUR-PERSONAL-TOKEN]" }To this (basic auth):
"http-basic": { "github.com": { "username": "[YOUR-GITHUB-USERNAME]", "password": "ghp_[YOUR-PERSONAL-TOKEN]" } }You can find instructions on how to create a Personal Access Token
Inspired from github docs. Apparently, you can use Basic Authentication with a Personal Access token instead of oauth in some cases (e.g. like mine: installing a private git repo with composer).
3I fixed it.
Goto C:\Users\XXXXX\AppData\Roaming\Composer
Open the auth.json
delete the github.com entry under "github-oauth": {}
That's it.
8Update answer for Masiorama and Ruchir Mehta:
If you looking for file auth.json but don't know how, use this command:
locate auth.json
And here's the result:
You can see that auth.json will look like this:
/home/{your user name}/.config/composer/auth.json
Then you could use this command to edit the file:
sudo gedit /home/dev/.config/composer/auth.json
And remove content inside github-oauth.
If you're on MacOS, the auth.json file is at ~/.composer/auth.json. Then from there, you can remove the value for github-oauth. I tried fully deleting the file but I got a parse error, Expected one of: 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '['. Your auth.json file should look like this:
{ "github-oauth": {}
}This is similar to other answers posted but I wasn't able to use the locate command on MacOS so this might be helpful to other Mac users
This error recently popped up from nowhere.
Simply deleting the whole auth file worked for me..! Not sure why / when it appeared in the first place.
~/.composer/auth.json
As far as I know (I'm a beginner with composer too), the problem is with your authentication, so you have to fix your credentials in auth.json inside path-to-composer/.composer/
Inside you will find a json which will probably looks like:
{ "github-oauth": { "github.com": null }
}Fix that and you should be ok ;)
3The solution is just to upgrade your Composer version
using command composer self-update.
Same solution as the answer of Paulina Khew but with command lines on MacOS :
cd ~/.composer/
nano auth.jsonDelete what is inside th bracket :
{ "github-oauth": {}
}When you're ready to save the file, hold down the Ctrl key and press the letter O
Press the Enter key on your keyboard to save.
When finished, press Ctrl + X to close nano and return to your shell.
Go to C:\Users\UserName\AppData\Roaming\Composer Open the auth.json file. Clear everything and paste the below code
{
"bitbucket-oauth": {},
"github-oauth": {},
"gitlab-oauth": {},
"gitlab-token": {},
"http-basic": {},
"bearer": {}
}I hope it will be solved
1I run in the same problem after upgrading githup api token to the new format. The answer is you need to upgrade composer version 1.10.21 or higher that fixes this problem.
2Edit the composer authentication configuration file ~/.composer/auth.json
Then replace the following.
"http-basic": { "github.com": { "username": "[YOUR-GITHUB-USERNAME]", "password": "ghp_[YOUR-PERSONAL-TOKEN]" }
}Now run the command composer install
That's a bug.
If you have Debian or Ubuntu, try this patch. Otherwise read the last line.
Quick copy-paste patch
If you have Debian 10 buster or Ubuntu 20.LTS or similar distributions, try this copy-paste command:
wget -O /tmp/fix-composer.patch
sudo patch /usr/share/php/Composer/IO/BaseIO.php /tmp/fix-composer.patchIf it does not work, write it in the comments.
Step-by-step explaination
Your Composer version has a bug: you are able to save a valid GitHub token, but then it's not able to read that token again because Composer thinks that your GitHub token cannot contain underscores or stuff like that. Moreover, it's strange that Composer checks its syntax only the second time. Why? that's another story.
The fix is simple. You can temporary disable that wrong validation in your Composer version. Also because GitHub is a proprietary service and their specifications can change over time (as you demonstrated today). So it makes sense not to validate the syntax of GitHub tokens. The only person who should hard-validate GitHub tokens is GitHub itself, not Composer.
If you installed Composer via apt install composer, probably you will not have any update available and surely you cannot use self-update because Composer is read-only for security reasons (and for a similar reason, you should not execute Composer from root). Instead, you can create a safe hot-patch to fix that specific issue.
To create a patch, create a file called /tmp/fix-composer.patch with this exact content:
103,105c103,105
< if (!preg_match('{^[.a-z0-9]+$}', $token)) {
< throw new \UnexpectedValueException('Your github oauth token for '.$domain.' contains invalid characters: "'.$token.'"');
< }
---
> // if (!preg_match('{^[.a-z0-9]+$}', $token)) {
> // throw new \UnexpectedValueException('Your github oauth token for '.$domain.' contains invalid characters: "'.$token.'"');
> // That content can also be seen from here:
Then run this command to apply that patch:
sudo patch /usr/share/php/Composer/IO/BaseIO.php /tmp/fix-composer.patchIf it does not work, probably you have not installed composer via apt.
In short, whatever operating system, and whatever installation method, locate the file BaseIO.php in your Composer and comment out the validation check.
