test-infra icon indicating copy to clipboard operation
test-infra copied to clipboard
verified publisher icon pytorch

Add authentication requirements to runners API and repository page

Open Copilot opened this issue 6 months ago โ€ข 3 comments

This PR implements authentication requirements for the /api/runners/[org] API endpoint and creates a new /repository/[org] page, both requiring users to be logged in with GitHub and have write permissions to the pytorch/pytorch repository.

Changes Made

๐Ÿ”’ API Authentication (/api/runners/[org].ts)

  • Added authentication check using the existing getAuthorizedUsername() helper function
  • API now requires GitHub OAuth login AND write permissions to pytorch/pytorch
  • Returns appropriate HTTP status codes:
    • 401 for unauthenticated users with "Authentication required" message
    • 403 for users with insufficient permissions
  • Preserves existing GRAFANA_MCP_AUTH_TOKEN bypass functionality for system access
  • Maintains full backward compatibility for authorized users

๐Ÿ“„ Repository Page (/repository/[org].tsx)

  • Created new protected page at /repository/[org] route
  • Implements complete authentication flow with multiple states:
    • Loading state while checking authentication
    • Sign-in prompt for unauthenticated users
    • Insufficient permissions message with access request links
    • Protected content for authorized users
  • Follows existing UI patterns from TorchAgentPage for consistency
  • Includes helpful error messages and action buttons

๐Ÿงช Test Coverage

  • Updated existing runners-api.test.ts to mock authentication properly
  • Added comprehensive runners-api-auth.test.ts with authentication scenarios:
    • Unauthorized users are properly rejected
    • Authorized users can access the API
    • Bypass users (grafana-bypass-user) work correctly
  • All 16 test suites continue to pass with no regressions

Authentication Flow

Both features use the existing authentication infrastructure:

  1. GitHub OAuth: Users must sign in with their GitHub account via NextAuth.js
  2. Permission Check: getAuthorizedUsername() verifies the user has write permissions to pytorch/pytorch using GitHub's API
  3. Access Control: Only users meeting both requirements can access protected content

Manual Testing

โœ… API Endpoint: curl http://localhost:3000/api/runners/pytorch returns {"error":"Authentication required"} with 401 status

โœ… Repository Page: Visiting /repository/pytorch shows proper authentication UI with sign-in prompts and clear error messages

โœ… Existing Functionality: All existing API and page functionality remains intact for authorized users

This implementation ensures sensitive repository information and runner data are only accessible to users with appropriate permissions while maintaining a smooth user experience with clear guidance for authentication.

๐Ÿ’ก You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot avatar Aug 19 '25 23:08 Copilot