Skip to content

feat(auth): let users choose GitHub OAuth scopes (limit repo access) #43#57

Closed
kashifalikhan36 wants to merge 2 commits intoAvishkarPatil:mainfrom
kashifalikhan36:main
Closed

feat(auth): let users choose GitHub OAuth scopes (limit repo access) #43#57
kashifalikhan36 wants to merge 2 commits intoAvishkarPatil:mainfrom
kashifalikhan36:main

Conversation

@kashifalikhan36
Copy link

@kashifalikhan36 kashifalikhan36 commented Dec 28, 2025

Description

Implemented a scoped OAuth flow and UI so users can pick which GitHub scopes to grant instead of requesting full repo access. This respects user privacy and makes the app request only what it needs.

Related Issue

Closes #43

What changed

  • Frontend
    • Login page: scope-selection UI (checkboxes) and redirects with validated scopes.
    • Navbar: go to login page so users can pick scopes.
    • Profile page: shows requested vs granted scopes.
  • Backend
    • GET /auth/login?scopes=... validates against an allow-list and stores github_requested_scopes in session.
    • GET /auth/scopes returns requested vs granted scopes.
    • Allow-list: read:user, user:email, repo, public_repo, repo:status, read:org (prevents arbitrary scope injection).
  • Tests & Docs
    • test_auth_scopes.py (tests invalid/valid scopes + redirect behavior).
    • oauth-scopes.md (explains scopes and recommendations).
    • Small fixes for test imports/config defaults so tests run locally.

How to test

  • Made 2 test files in backend/test folder
  • Run tests: python -m pytest test_auth_scopes.py -q
  • Run dev server and visit /login — select scopes, continue, and verify redirect to GitHub contains the requested scopes.
  • After authorizing, visit /auth/scopes (or profile page) to see requested vs granted scopes.

current repo:status is sufficient for commit-status features and does NOT grant repo code access. repo grants broad access (including private repo code).

Actually, i wanted to recommended and for making a another issue [Feature update]: add a settings/revoke UI and/or a re-authorize flow to change scopes later.

@kashifalikhan36
Add selectable GitHub OAuth scopes to login flow
69572d6 
Implements frontend UI for users to choose which GitHub OAuth scopes to grant, with backend validation against an allow-list. The login and profile pages now display requested and granted scopes, and documentation has been added to explain each scope and recommended usage. Tests ensure invalid scopes are rejected and valid ones are accepted.
@kashifalikhan36
Add debug login script and improve auth scope tests
cded822 
Added a _debug_login.py script for manual login endpoint testing. Updated test_auth_scopes.py to avoid following external redirects and clarified assertions. Provided safe default values for sensitive config variables in config.py to ease local development and testing, and improved debug logging to avoid printing secrets.
@github-actions
Copy link

github-actions bot commented Dec 28, 2025

Thanks for creating a PR for your Issue! ☺️

We'll review it as soon as possible.
In the meantime, please double-check the file changes and ensure that all commits are accurate.

If there are any unresolved review comments, feel free to resolve them. 🙌🏼

@kashifalikhan36 kashifalikhan36 mentioned this pull request Dec 28, 2025
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] limit git accesses

1 participant

@kashifalikhan36