Address review feedback

akirk · akirk · commit 143f30ffa222 · 2025-11-14T15:57:08.000+01:00
diff --git a/packages/playground/storage/src/lib/git-sparse-checkout.ts b/packages/playground/storage/src/lib/git-sparse-checkout.ts
@@ -44,17 +44,6 @@ export class GitAuthenticationError extends Error {
 
 export type GitAdditionalHeaders = (url: string) => Record<string, string>;
 
-function resolveGitHeaders(
-	url: string,
-	headers?: GitAdditionalHeaders
-): Record<string, string> {
-	if (!headers || typeof headers !== 'function') {
-		return {};
-	}
-
-	return headers(url);
-}
-
 /**
  * Downloads specific files from a git repository.
  * It uses the git protocol over HTTP to fetch the files. It only uses
@@ -98,7 +87,7 @@ export async function sparseCheckout(
 	const treesPack = await fetchWithoutBlobs(
 		repoUrl,
 		commitHash,
-		resolveGitHeaders(repoUrl, options?.additionalHeaders)
+		options?.additionalHeaders?.(repoUrl) ?? {}
 	);
 	const objects = await resolveObjects(treesPack.idx, commitHash, filesPaths);
 
@@ -108,7 +97,7 @@ export async function sparseCheckout(
 			? await fetchObjects(
 					repoUrl,
 					blobOids,
-					resolveGitHeaders(repoUrl, options?.additionalHeaders)
+					options?.additionalHeaders?.(repoUrl) ?? {}
 			  )
 			: null;
 
@@ -219,7 +208,7 @@ export async function listGitFiles(
 	const treesPack = await fetchWithoutBlobs(
 		repoUrl,
 		commitHash,
-		resolveGitHeaders(repoUrl, additionalHeaders)
+		additionalHeaders?.(repoUrl) ?? {}
 	);
 	const rootTree = await resolveAllObjects(treesPack.idx, commitHash);
 	if (!rootTree?.object) {
@@ -306,7 +295,7 @@ export async function listGitRefs(
 			'content-type': 'application/x-git-upload-pack-request',
 			'Content-Length': `${packbuffer.length}`,
 			'Git-Protocol': 'version=2',
-			...resolveGitHeaders(repoUrl, additionalHeaders),
+			...(additionalHeaders?.(repoUrl) ?? {}),
 		},
 		body: packbuffer as any,
 	});
diff --git a/packages/playground/website/src/github/git-auth-helpers.spec.ts b/packages/playground/website/src/github/git-auth-helpers.spec.ts
@@ -1,7 +1,11 @@
-import { describe, it, expect, beforeEach } from 'vitest';
+import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { createGitHubAuthHeaders, isGitHubUrl } from './git-auth-helpers';
 import { oAuthState } from './state';
 
+vi.mock('virtual:cors-proxy-url', () => ({
+	corsProxyUrl: 'https://corsproxyurl/',
+}));
+
 describe('isGitHubUrl', () => {
 	describe('direct GitHub URLs', () => {
 		it('returns true for github.com URLs', () => {
@@ -40,34 +44,27 @@ describe('isGitHubUrl', () => {
 		it('returns true for GitHub URLs through CORS proxy', () => {
 			expect(
 				isGitHubUrl(
-					'https://playground.wordpress.net/cors-proxy.php?https://github.com/user/repo'
-				)
-			).toBe(true);
-			expect(
-				isGitHubUrl(
-					'http://127.0.0.1:5263/cors-proxy.php?https://github.com/user/repo'
+					'https://corsproxyurl/?https://github.com/user/repo'
 				)
 			).toBe(true);
 		});
 
 		it('returns false for non-GitHub URLs through CORS proxy', () => {
 			expect(
 				isGitHubUrl(
-					'https://playground.wordpress.net/cors-proxy.php?https://gitlab.com/user/repo'
+					'https://corsproxyurl/?https://gitlab.com/user/repo'
 				)
 			).toBe(false);
 		});
 
 		it('returns false for malicious URLs through CORS proxy', () => {
 			expect(
 				isGitHubUrl(
-					'https://playground.wordpress.net/cors-proxy.php?https://evil.com/github.com/fake'
+					'https://corsproxyurl/?https://evil.com/github.com/fake'
 				)
 			).toBe(false);
 			expect(
-				isGitHubUrl(
-					'http://127.0.0.1:5263/cors-proxy.php?https://github.com.evil.com'
-				)
+				isGitHubUrl('https://corsproxyurl/?https://github.com.evil.com')
 			).toBe(false);
 		});
 	});
@@ -116,7 +113,7 @@ describe('createGitHubAuthHeaders integration', () => {
 		it('includes Authorization header for GitHub URLs through CORS proxy', () => {
 			const getHeaders = createGitHubAuthHeaders();
 			const headers = getHeaders(
-				'https://playground.wordpress.net/cors-proxy.php?https://github.com/user/repo'
+				'https://corsproxyurl/?https://github.com/user/repo'
 			);
 
 			expect(headers).toHaveProperty('Authorization');
@@ -136,7 +133,7 @@ describe('createGitHubAuthHeaders integration', () => {
 		it('does NOT include Authorization header for non-GitHub URLs through CORS proxy', () => {
 			const getHeaders = createGitHubAuthHeaders();
 			const headers = getHeaders(
-				'https://playground.wordpress.net/cors-proxy.php?https://gitlab.com/user/repo'
+				'https://corsproxyurl/?https://gitlab.com/user/repo'
 			);
 
 			expect(headers).toEqual({});
@@ -164,5 +161,22 @@ describe('createGitHubAuthHeaders integration', () => {
 			const decoded = atob(headers.Authorization.replace('Basic ', ''));
 			expect(decoded).toBe('test-token:');
 		});
+
+		it('handles tokens with non-ASCII characters (UTF-8)', () => {
+			// This would fail with plain btoa(): "characters outside of the Latin1 range"
+			oAuthState.value = {
+				token: 'test-token-ąñ-emoji-🔑',
+				isAuthorizing: false,
+			};
+			const getHeaders = createGitHubAuthHeaders();
+			const headers = getHeaders('https://github.com/user/repo');
+
+			expect(headers).toHaveProperty('Authorization');
+			expect(headers.Authorization).toMatch(/^Basic /);
+
+			// Verify the encoding is valid base64
+			const base64Part = headers.Authorization.replace('Basic ', '');
+			expect(() => atob(base64Part)).not.toThrow();
+		});
 	});
 });
diff --git a/packages/playground/website/src/github/git-auth-helpers.ts b/packages/playground/website/src/github/git-auth-helpers.ts
@@ -1,21 +1,30 @@
 import { oAuthState } from './state';
-
-const KNOWN_CORS_PROXY_URLS = [
-	'https://playground.wordpress.net/cors-proxy.php?',
-	'https://wordpress-playground-cors-proxy.net/?',
-	'http://127.0.0.1:5263/cors-proxy.php?',
-];
+import { corsProxyUrl } from 'virtual:cors-proxy-url';
 
 export function isGitHubUrl(url: string): boolean {
-	for (const corsProxyUrl of KNOWN_CORS_PROXY_URLS) {
-		if (url.startsWith(corsProxyUrl)) {
-			url = url.substring(corsProxyUrl.length);
-			break;
-		}
-	}
-
 	try {
 		const urlObj = new URL(url);
+		const corsProxyOrigin = new URL(corsProxyUrl).origin;
+
+		if (urlObj.origin === corsProxyOrigin && urlObj.search) {
+			const queryWithoutQuestion = urlObj.search.substring(1);
+			// Check if the query string starts with http:// or https://
+			if (queryWithoutQuestion.match(/^https?:\/\//)) {
+				const decodedUrl = decodeURIComponent(queryWithoutQuestion);
+				try {
+					const targetUrlObj = new URL(decodedUrl);
+					const hostname = targetUrlObj.hostname;
+					return (
+						hostname === 'github.com' ||
+						hostname === 'api.github.com'
+					);
+				} catch {
+					// If parsing the target URL fails, fall through to direct check
+				}
+			}
+		}
+
+		// Direct URL check
 		const hostname = urlObj.hostname;
 		return hostname === 'github.com' || hostname === 'api.github.com';
 	} catch {
@@ -33,8 +42,16 @@ export function createGitHubAuthHeaders(): (
 			return {};
 		}
 
+		const encoder = new TextEncoder();
+		const data = encoder.encode(`${token}:`);
+		const binary = [];
+		for (let i = 0; i < data.length; i++) {
+			binary.push(String.fromCharCode(data[i]));
+		}
+		const encodedToken = btoa(binary.join(''));
+
 		return {
-			Authorization: `Basic ${btoa(`${token}:`)}`,
+			Authorization: `Basic ${encodedToken}`,
 			// Tell the CORS proxy to forward the Authorization header
 			'X-Cors-Proxy-Allowed-Request-Headers': 'Authorization',
 		};
