Either the 2FA documentation is wrong or the client is broken

[krainboltgreene]

require "octokit"
stack = Faraday::RackBuilder.new do |builder|
  builder.response :logger
  builder.use Octokit::Response::RaiseError
  builder.adapter Faraday.default_adapter
end
Octokit.middleware = stack

print "Enter username & password: "
username, password = gets.chomp.split
puts " "
client = Octokit::Client.new(login: username, password: password)
print "Token: "
headers = { headers: { "X-GitHub-OTP" => gets.chomp } }

client.user(username, headers)
client.login

client.repositories.each do |repository|
  puts "Watching #{repository.name}"
  client.watch(repository)
end

▶ ruby watch-my-repositories.rb
Enter username & password: ...
Token: 507127
I, [2015-05-23T19:52:45.243341 #15271]  INFO -- : get https://api.github.com/users/krainboltgreene?headers%5BX-GitHub-OTP%5D=507127
D, [2015-05-23T19:52:45.243523 #15271] DEBUG -- request: Accept: "application/vnd.github.v3+json"
User-Agent: "Octokit Ruby Gem 3.8.0"
Content-Type: "application/json"
Authorization: "Basic REMOVED"
X-GitHub-OTP: "507127"
I, [2015-05-23T19:52:45.709120 #15271]  INFO -- Status: 200
D, [2015-05-23T19:52:45.709460 #15271] DEBUG -- response: server: "GitHub.com"
date: "Sun, 24 May 2015 00:52:45 GMT"
content-type: "application/json; charset=utf-8"
transfer-encoding: "chunked"
connection: "close"
status: "200 OK"
x-ratelimit-limit: "5000"
x-ratelimit-remaining: "4995"
x-ratelimit-reset: "1432431733"
cache-control: "private, max-age=60, s-maxage=60"
last-modified: "Sun, 24 May 2015 00:37:10 GMT"
etag: "W/\"ca3224fef8011343e93c3f6ef09f4afd\""
vary: "Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding"
x-github-media-type: "github.v3; format=json"
x-xss-protection: "1; mode=block"
x-frame-options: "deny"
content-security-policy: "default-src 'none'"
access-control-allow-credentials: "true"
access-control-expose-headers: "ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval"
access-control-allow-origin: "*"
x-github-request-id: "6BCE1610:1628:7329127:556120DD"
strict-transport-security: "max-age=31536000; includeSubdomains; preload"
x-content-type-options: "nosniff"
x-served-by: "07ff1c8a09e44b62e277fae50a1b1dc4"
I, [2015-05-23T19:52:45.777364 #15271]  INFO -- : get https://api.github.com/user/repos
D, [2015-05-23T19:52:45.777457 #15271] DEBUG -- request: Accept: "application/vnd.github.v3+json"
User-Agent: "Octokit Ruby Gem 3.8.0"
Content-Type: "application/json"
Authorization: "Basic REMOVED"
/Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/octokit-3.8.0/lib/octokit/response/raise_error.rb:16:in `on_complete': GET https://api.github.com/user/repos: 401 - Must specify two-factor authentication OTP code. // See: https://developer.github.com/v3/auth#working-with-two-factor-authentication (Octokit::OneTimePasswordRequired)
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/response.rb:9:in `block in call'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/response.rb:57:in `on_complete'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/response.rb:8:in `call'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/response.rb:8:in `call'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/response/logger.rb:24:in `call'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:in `build_response'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in `run_request'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/faraday-0.9.1/lib/faraday/connection.rb:140:in `get'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/sawyer-0.6.0/lib/sawyer/agent.rb:94:in `call'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/octokit-3.8.0/lib/octokit/client.rb:339:in `request'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/octokit-3.8.0/lib/octokit/client.rb:200:in `paginate'
    from /Users/krainboltgreene/.rvm/gems/ruby-2.2.2/gems/octokit-3.8.0/lib/octokit/client/repositories.rb:68:in `repositories'
    from watch-my-repositories.rb:17:in `<main>'

[pengwynn]

You'll need to pass the OTP on every request. Since an OTP is no longer valid after it's used, it's not feasible for a loop like this. Instead, I recommend creating a Personal Access Token and use that as your password. With PATs, you won't need to worry about sending the OTP.

[krainboltgreene]

Hmm, does that explain why the OTP is also in the request GET query string?

On Sat, May 23, 2015 at 8:36 PM, Wynn Netherland notifications@github.com
wrote:

You'll need to pass the OTP on every request. Since an OTP is no longer
valid after it's used, it's not feasible for a loop like this. Instead, I
recommend creating a Personal Access Token
https://help.github.com/articles/creating-an-access-token-for-command-line-use/
and use that as your password. With PATs, you won't need to worry about
sending the OTP.

—
Reply to this email directly or view it on GitHub
#592 (comment).

Kurtis Rainbolt-Greene, Hacker
Software Developer
1631 8th St.
New Orleans, LA
70115

[pengwynn]

Hmm, does that explain why the OTP is also in the request GET query string?

A second look at the request headers indicates they're being sent, they're just also getting sent in the query because we're doing a Hash#fetch instead of a Hash#delete.

We should fix that up. Patches are always welcome.