stacklok / toolhive / 18789006560
51%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 299
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 47.478% (+0.2%) from 47.326%
18789006560

push

github

web-flow 
Add GitHub.com OAuth authentication provider for token introspection (#2322)

* Add GitHub.com OAuth authentication provider for token introspection

Implements a custom token introspection provider for GitHub.com OAuth
that validates GitHub OAuth tokens via GitHub's token validation API.
This enables per-user authentication scenarios where users authenticate
with their own GitHub tokens.

The provider implements the TokenIntrospector interface following the
same pattern as the existing GoogleProvider, with automatic registration
when GitHub API URLs are detected.

Key Features:
- Validates GitHub OAuth tokens via POST /applications/{client_id}/token
- Maps GitHub user attributes to JWT claims for Cedar authorization
- Supports claims: sub, login, email, scopes, site_admin, etc.
- Integrates with existing OIDC middleware for automatic opaque token detection

Security Hardening:
- Strict URL validation (api.github.com only, HTTPS required)
- SSRF protection via secured HTTP client with private IP blocking
- Local rate limiting (100 req/sec) to prevent DoS attacks
- GitHub API rate limit handling (429 responses with retry-after)

Testing:
- 10 comprehensive unit tests (all passing)
- Security tests for SSRF, HTTPS enforcement, rate limiting
- Linter clean (0 issues)

Note: Configuration examples and documentation will be added after #2321
is resolved to enable secure secret management via SecretKeyRef.

Related: #2321

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

* Refactor NewTokenValidator to reduce complexity

Extract provider registration logic into a separate
registerIntrospectionProviders helper function to improve code
organization and reduce cyclomatic complexity.

Changes:
- Add registerIntrospectionProviders helper function that handles
  Google, GitHub, and RFC7662 provider registration
- Move client secret environment vari... (continued)

176 of 209 new or added lines in 2 files covered. (84.21%)

17 existing lines in 3 files now uncovered.

19088 of 40204 relevant lines covered (47.48%)

15.43 hits per line

New Missed Lines in Diff

Lines Coverage File
14
91.81
 pkg/auth/github_provider.go
19
81.34
 -1.76% pkg/auth/token.go

Uncovered Existing Lines

Lines Coverage File
1
81.34
 -1.76% pkg/auth/token.go
2
81.62
 -0.56% pkg/transport/proxy/httpsse/http_proxy.go
14
54.74
 -10.53% pkg/secrets/keyring/keyctl_linux.go
Jobs
ID Job ID Ran Files Coverage
1 18789006560.1 299
47.48
 GitHub Action Run
Source Files on build 18789006560