feat(auth): let users choose GitHub OAuth scopes (limit repo access) #43

[kashifalikhan36]

Description

Implemented a scoped OAuth flow and UI so users can pick which GitHub scopes to grant instead of requesting full repo access. This respects user privacy and makes the app request only what it needs.

Related Issue

Closes #43

What changed

• Frontend
  • Login page: scope-selection UI (checkboxes) and redirects with validated scopes.
  • Navbar: go to login page so users can pick scopes.
  • Profile page: shows requested vs granted scopes.
• Backend
  • GET /auth/login?scopes=... validates against an allow-list and stores github_requested_scopes in session.
  • GET /auth/scopes returns requested vs granted scopes.
  • Allow-list: read:user, user:email, repo, public_repo, repo:status, read:org (prevents arbitrary scope injection).
• Tests & Docs
  • test_auth_scopes.py (tests invalid/valid scopes + redirect behavior).
  • oauth-scopes.md (explains scopes and recommendations).
  • Small fixes for test imports/config defaults so tests run locally.

How to test

• Made 2 test files in backend/test folder
• Run tests: python -m pytest test_auth_scopes.py -q
• Run dev server and visit /login — select scopes, continue, and verify redirect to GitHub contains the requested scopes.
• After authorizing, visit /auth/scopes (or profile page) to see requested vs granted scopes.

current repo:status is sufficient for commit-status features and does NOT grant repo code access. repo grants broad access (including private repo code).

Actually, i wanted to recommended and for making a another issue [Feature update]: add a settings/revoke UI and/or a re-authorize flow to change scopes later.

[github-actions]

Thanks for creating a PR for your Issue! ☺️

We'll review it as soon as possible.
In the meantime, please double-check the file changes and ensure that all commits are accurate.

If there are any unresolved review comments, feel free to resolve them. 🙌🏼