fix: add repo scope to GitHub OAuth for private repository access#38
fix: add repo scope to GitHub OAuth for private repository access#38arpita-1111 wants to merge 2 commits into
Conversation
|
Someone is attempting to deploy a commit to the rishabhjtripathi2903-3434's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
Note
|
| Layer / File(s) | Summary |
|---|---|
GitHub OAuth scope configuration src/lib/auth.ts |
GitHub provider OAuth scope updated from read:user user:email public_repo to read:user user:email repo. |
Sign-in UI permission disclosure src/app/login/page.tsx |
GitHub sign-in button content now shows GitHub plus a small note: "(needed to analyze private repos)"; click handler and styling unchanged. |
Environment configuration documentation .env.example |
Added comment documenting that the GitHub OAuth scope must be set to \"repo\" (not \"public_repo\") to access private repositories. |
🎯 3 (Moderate) | ⏱️ ~20 minutes
🚥 Pre-merge checks | ✅ 3 | ❌ 2
❌ Failed checks (1 warning, 1 inconclusive)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. | |
| Linked Issues check | ❓ Inconclusive | The changes address most requirements from #22: scope updated to 'repo' in GithubProvider, login button updated with private repo note, and .env.example documented. However, GitHub OAuth App settings update and private repo functionality testing are not reflected in code changes. |
Verify that GitHub OAuth App settings have been updated separately for the 'repo' scope, and confirm testing of private repo access in the dashboard was completed. |
✅ Passed checks (3 passed)
| Check name | Status | Explanation |
|---|---|---|
| Description Check | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled. |
| Title check | ✅ Passed | The title accurately summarizes the main change: adding the 'repo' scope to GitHub OAuth to enable private repository access. |
| Out of Scope Changes check | ✅ Passed | All changes are directly related to addressing issue #22: updating OAuth scope, documenting requirements, and clarifying permissions on the login page. |
✏️ Tip: You can configure your own custom pre-merge checks in the settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
- Create PR with unit tests
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/app/login/page.tsx`:
- Around line 269-276: The GitHub sign-in button currently shows “(incl. private
repos)” without a rationale; update the UI around the button in page.tsx so the
GitHub sign-in (signIn('github', ...)) includes a short, clear rationale (e.g.,
“Needed to analyze your private repositories for Traceon features”) visible next
to or under the button and ensure it is accessible (use an inline sentence,
aria-describedby, or a small help text element associated with the button/Github
icon). Locate the button rendering (the element containing signIn('github', {
callbackUrl: '/home' }), Github component, and the “(incl. private repos)” span)
and replace or augment that span with the concise rationale text and accessible
attributes so users understand why private repo access is requested.
In `@src/lib/auth.ts`:
- Line 54: Remove the client-visible GitHub token by stopping assignment of
token.accessToken -> session.user.accessToken in the callbacks.session
implementation in src/lib/auth.ts (do not add accessToken to session.user);
reduce the OAuth scopes string (remove or narrow the 'repo' scope) to the
minimum required; and update the server API handler that needs GitHub auth (the
GET/POST handler in src/app/api/github/route.ts) to retrieve the access token
server-side via getToken from 'next-auth/jwt' (or read it from the server-side
NextAuth JWT) and use that token for the Authorization header instead of relying
on session.user.accessToken.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 17c16118-dff2-4de6-a5ad-2777f746a447
📒 Files selected for processing (3)
.env.examplesrc/app/login/page.tsxsrc/lib/auth.ts
| authorization: { | ||
| params: { | ||
| scope: 'read:user user:email public_repo', | ||
| scope: 'read:user user:email repo', |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether client code depends on exposed session token before removing it.
rg -nP --type=ts --type=tsx -C2 '\bsession\.user\.accessToken\b|\buser\.accessToken\b|\btoken\.accessToken\b'Repository: Rishabhworkspace/Traceon
Length of output: 96
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 1) Show the relevant sections of src/lib/auth.ts
echo "---- src/lib/auth.ts (around scope line 54) ----"
sed -n '35,80p' src/lib/auth.ts
echo "---- src/lib/auth.ts (around token/session callbacks lines ~120-170) ----"
sed -n '95,170p' src/lib/auth.ts
# 2) Re-run searches without relying on rg --type=tsx (which failed earlier)
echo "---- usage: session.user.accessToken ----"
rg -n "session\.user\.accessToken" . || true
echo "---- usage: user.accessToken ----"
rg -n "\buser\.accessToken\b" . || true
echo "---- usage: token.accessToken ----"
rg -n "\btoken\.accessToken\b" . || trueRepository: Rishabhworkspace/Traceon
Length of output: 5627
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,140p' src/app/api/github/route.tsRepository: Rishabhworkspace/Traceon
Length of output: 4632
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "---- accessToken occurrences (ts/tsx) ----"
rg -n --glob '*.ts' --glob '*.tsx' '\baccessToken\b' src || true
echo "---- session?.user?.accessToken patterns ----"
rg -n --glob '*.ts' --glob '*.tsx' 'session\?\.[^\n]*user\?\.[^\n]*accessToken|user\?\.[^\n]*accessToken' src || true
echo "---- useSession usage with accessToken near it (±10 lines) ----"
rg -n --glob '*.ts' --glob '*.tsx' 'useSession' src -C 10 | rg -n 'accessToken' || trueRepository: Rishabhworkspace/Traceon
Length of output: 613
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --glob '*.ts' --glob '*.tsx' "getToken|next-auth/jwt" src || true
rg -n --glob '*.ts' --glob '*.tsx' "useSession|getSession|session\W" src || trueRepository: Rishabhworkspace/Traceon
Length of output: 9501
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n --glob '*.ts' --glob '*.tsx' "declare module 'next-auth'|module 'next-auth'|Session.*accessToken|accessToken.*Session" src || trueRepository: Rishabhworkspace/Traceon
Length of output: 50
Do not expose GitHub OAuth repo access tokens in client-visible NextAuth session data
src/lib/auth.tsrequestsscope: 'read:user user:email repo', storesaccount.access_tokenintotoken.accessToken, and then forwards it tosession.user.accessToken.- The app uses
useSession()in client components, so this makes a high-privilege GitHub token part of the client-visible session payload (increasing compromise impact for private repo access). src/app/api/github/route.tsrelies onsession.user.accessTokenserver-side, so the server flow needs to change to fetch the access token without putting it onsession.user.
Suggested direction
- In
src/lib/auth.tscallbacks.session, stop settingsession.user.accessToken. - In
src/app/api/github/route.ts, read the GitHub access token from the server-side NextAuth JWT (e.g., viagetTokenfromnext-auth/jwt) and use it for theAuthorizationheader. - Reduce OAuth scopes to the minimum required (avoid the broad
reposcope unless it’s strictly necessary).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/lib/auth.ts` at line 54, Remove the client-visible GitHub token by
stopping assignment of token.accessToken -> session.user.accessToken in the
callbacks.session implementation in src/lib/auth.ts (do not add accessToken to
session.user); reduce the OAuth scopes string (remove or narrow the 'repo'
scope) to the minimum required; and update the server API handler that needs
GitHub auth (the GET/POST handler in src/app/api/github/route.ts) to retrieve
the access token server-side via getToken from 'next-auth/jwt' (or read it from
the server-side NextAuth JWT) and use that token for the Authorization header
instead of relying on session.user.accessToken.
There was a problem hiding this comment.
@arpita-1111 If you need help refactoring the token storage to avoid client-side exposure, here's a quick suggestion:
Current risky code (in src/lib/auth.ts):
session.user.accessToken = token.accessToken; // ❌ exposes token to clientThere was a problem hiding this comment.
Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!
|
@arpita-1111 look for coderabbit suggestions |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
**_@arpita-1111 Thanks for the PR. However, there's a security concern raised by CodeRabbit:
Please consider:
This is a blocker for merging. Let me know if you need help refactoring._** |
|
@arpita-1111 & @Rishabhworkspace If you need help refactoring the token storage to avoid client-side exposure, here's a quick suggestion: Current risky code (in session.user.accessToken = token.accessToken; // ❌ exposes token to client |
|
work done! |
3 participants
Closes #22
What this PR does
public_repotorepoin auth.tsChanges Made
repoSummary by CodeRabbit