Skip to content

feat(auth): migrates from GitHub App to OAuth App#4

Merged
wgordon17 merged 22 commits intogordon-code:mainfrom
wgordon17:roadmap/phase-1/oauth-app-migration
Mar 24, 2026
Merged

feat(auth): migrates from GitHub App to OAuth App#4
wgordon17 merged 22 commits intogordon-code:mainfrom
wgordon17:roadmap/phase-1/oauth-app-migration

Conversation

@wgordon17
Copy link
Copy Markdown
Member

@wgordon17 wgordon17 commented Mar 24, 2026

Summary

  • Migrates authentication from GitHub App (expiring tokens + HttpOnly cookie refresh) to OAuth App (permanent tokens in localStorage with explicit scopes repo read:org notifications)
  • Simplifies Cloudflare Worker from 3 OAuth endpoints to 1 (token exchange only), removing all cookie/refresh infrastructure (-893 lines)
  • Adds dashboard data reset and poll coordinator cleanup on logout to prevent cross-user data leakage

wgordon17 added 22 commits March 24, 2026 14:56
@wgordon17
refactor(worker): removes refresh and logout endpoints
86a645c
@wgordon17
refactor(auth): switches to localStorage token persistence for OAuth App
5be4d48
@wgordon17
docs: updates documentation for OAuth App migration
fd0f9e7
@wgordon17
fix: addresses review findings from security/QA/structural review
3b6ded3
@wgordon17
fix: adds scope comment and clearAuth reentrancy guard
5e3eb3a
@wgordon17
fix(auth): wraps clearAuth reentrancy guard in try/finally
f206675
@wgordon17
refactor: removes void wrapper, adds try/finally guard
885a783
@wgordon17
refactor(poll): updates stale comments for OAuth App model
8736043
@wgordon17
fix(e2e): adds missing fullName to config seed repos
301e7b3
@wgordon17
fix: addresses PR review findings from code review
1f0c070 
- Adds read-only guard to Octokit client (blocks non-GET except POST /graphql)
- Fixes _coordinator not nulled on DashboardPage unmount (polling died after navigation)
- Validates token before navigating in OAuthCallback (clears auth on failure)
- Deduplicates onCleanup/destroy in poll coordinator (onCleanup delegates to destroy)
- Merges two onAuthCleared registrations into single callback in DashboardPage
- Uses top-level import type for DashboardData instead of inline import()
- Simplifies localStorage init guard in auth.ts (drops typeof, keeps optional chaining)
- Adds tests: destroy(), reentrancy guard, validateToken=false, OPTIONS 404, cold-start
@wgordon17
fix(test): adds onAuthCleared test, migrates to vi.doMock
686864e
@wgordon17
fix(dashboard): preserves existing data during poll refresh
80479bc
@wgordon17
feat(dashboard): caches data in localStorage for instant reload
81f332a
@wgordon17
fix(poll): eagerly creates Octokit client for background refresh
f4e59dd
@wgordon17
fix(ui): restores refresh spinner and fades update label
351ff2a
@wgordon17
fix(dashboard): calls destroy() on coordinator in onCleanup
7ef7f3f
@wgordon17
fix: addresses domain review findings from quality gate
631728e
@wgordon17
refactor: moves dashboard storage key to auth, dedupes client
175d5e6
@wgordon17
fix: tightens read-only guard, removes dead fork fields
f33735e
@wgordon17
fix(test): adds DASHBOARD_STORAGE_KEY to auth mock
95b67af
@wgordon17
fix(test): uses workspace config for local and CI parity
87d918b
@wgordon17
fix(test): clears localStorage in beforeEach for CI parity
9da96e2
@wgordon17 wgordon17 merged commit d490ec4 into gordon-code:main Mar 24, 2026
1 check passed
@wgordon17 wgordon17 deleted the roadmap/phase-1/oauth-app-migration branch March 25, 2026 00:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wgordon17