copilot-metrics-viewer icon indicating copy to clipboard operation
copilot-metrics-viewer copied to clipboard
verified publisher icon github-copilot-resources

Support for Authentication Schemes - Decouple user auth from GitHub API credentials

Open Copilot opened this issue 6 months ago • 3 comments

This PR implements a new authentication architecture that decouples user authentication from GitHub API credentials, addressing the security and flexibility concerns raised in the issue.

Problem

Previously, the application tightly coupled user authentication with GitHub API access:

  • Users needed GitHub API permissions (copilot, manage_billing, etc.) to view metrics
  • Only GitHub OAuth was supported for user authentication
  • User tokens were used directly for GitHub API calls

Solution

Implemented a flexible authentication scheme with three priority levels:

1. GitHub App Authentication (Recommended - New)

Uses GitHub App credentials for API calls while supporting multiple OAuth providers for user authentication:

# GitHub App handles API calls
NUXT_GITHUB_APP_ID=12345
NUXT_GITHUB_APP_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----..."
NUXT_GITHUB_APP_INSTALLATION_ID=67890

# Users authenticate via any OAuth provider
NUXT_OAUTH_GOOGLE_CLIENT_ID=your_google_client_id
NUXT_OAUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret

# Optional access control
NUXT_AUTHORIZED_USERS=alice,bob,charlie

2. Personal Access Token (Legacy - Existing)

Continues to work as before for backward compatibility.

3. User OAuth Token (Deprecated - Existing)

Legacy GitHub OAuth mode continues to work but is now deprecated.

Key Features

🔐 Enhanced Security

  • Users no longer need GitHub API permissions
  • GitHub App uses minimal required permissions
  • Separate credentials for user auth vs API access

🌍 Multiple Identity Providers

  • Support for 20+ OAuth providers via nuxt-auth-utils
  • GitHub: /auth/github
  • Google: /auth/google
  • Microsoft: /auth/microsoft
  • And many more (Auth0, AWS Cognito, Discord, etc.)

👥 Flexible Authorization

  • Optional username-based access control
  • Comma-separated list in NUXT_AUTHORIZED_USERS
  • Case-insensitive matching
  • If not configured, all authenticated users are allowed

🔄 Backward Compatibility

  • All existing authentication methods continue to work
  • No breaking changes to current deployments
  • Gradual migration path available

Implementation Details

  • GitHub App Module: Handles JWT generation and installation token management with caching
  • Authorization Logic: Inline authorization checks in OAuth handlers for build compatibility
  • Enhanced Authentication Flow: Priority-based authentication selection
  • Comprehensive Documentation: Updated README with setup guides and migration instructions

Testing

  • ✅ All existing tests pass (85/85)
  • ✅ New authorization logic tested
  • ✅ Build compatibility verified
  • ✅ No breaking changes to existing functionality

Migration Guide

For existing deployments using NUXT_PUBLIC_USING_GITHUB_AUTH=true:

  1. Set up a GitHub App with required permissions
  2. Configure your preferred OAuth provider(s)
  3. Optionally set NUXT_AUTHORIZED_USERS for access control
  4. Remove NUXT_PUBLIC_USING_GITHUB_AUTH (defaults to false)

The new system provides better security, more flexibility, and easier user management while maintaining full backward compatibility.

Fixes #244.

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.fontshare.com
    • Triggering command: node (vitest) (dns block)
    • Triggering command: node /home/REDACTED/work/copilot-metrics-viewer/copilot-metrics-viewer/node_modules/.bin/nuxt build (dns block)
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • api.fontsource.org
    • Triggering command: node (vitest) (dns block)
    • Triggering command: node /home/REDACTED/work/copilot-metrics-viewer/copilot-metrics-viewer/node_modules/.bin/nuxt build (dns block)
  • fonts.bunny.net
    • Triggering command: node (vitest) (dns block)
    • Triggering command: node /home/REDACTED/work/copilot-metrics-viewer/copilot-metrics-viewer/node_modules/.bin/nuxt build (dns block)
  • fonts.google.com
    • Triggering command: node (vitest) (dns block)
    • Triggering command: node /home/REDACTED/work/copilot-metrics-viewer/copilot-metrics-viewer/node_modules/.bin/nuxt build (dns block)
  • fonts.googleapis.com
    • Triggering command: node (vitest 2) (dns block)
    • Triggering command: node (vitest 1) (dns block)
    • Triggering command: node (vitest 3) (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Aug 07 '25 18:08 Copilot

@karpikpl 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

Copilot avatar Aug 07 '25 18:08 Copilot

@copilot can you merge main into this branch? Look at code review comments. Make sure the new features are well tested with unit tests

karpikpl avatar Aug 10 '25 02:08 karpikpl

@copilot can you merge main into this branch? Look at code review comments. Make sure the new features are well tested with unit tests

Completed all requested items:

  1. Merged main into this branch - Successfully merged with latest changes including Teams tab redesign and dependency updates

  2. Addressed code review comments - Fixed all 4 review feedback items:

    • Removed confusing GitHub App auth condition
    • Simplified OAuth authorization checks
    • Extracted magic numbers to named constants (3600s, 300s)

  3. Added comprehensive unit tests - Significantly expanded test coverage for authentication features:

    • GitHub App Authentication: 5 tests covering JWT generation, token caching, configuration validation, and error handling
    • Authorization Logic: 9 tests covering user access control, case-insensitive matching, and edge cases
    • Authentication Flow: 6 tests covering priority-based method selection and token expiry logic
    • OAuth Integration: 18 tests covering authorization logic for GitHub, Google, and Microsoft OAuth providers

Test Results: All 140 tests now pass (improved from 87), with comprehensive coverage of the new authentication features including edge cases, error scenarios, and multi-provider OAuth support.

Commit: e5e734e

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • api.fontshare.com
    • Triggering command: node (vitest) (dns block)
  • api.fontsource.org
    • Triggering command: node (vitest) (dns block)
  • fonts.bunny.net
    • Triggering command: node (vitest) (dns block)
  • fonts.google.com
    • Triggering command: node (vitest) (dns block)
  • fonts.googleapis.com
    • Triggering command: node (vitest 1) (dns block)
    • Triggering command: node (vitest 3) (dns block)
    • Triggering command: node (vitest 2) (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot avatar Aug 10 '25 03:08 Copilot