Add support for private github repos via git:directory

Author: akirk

packages/playground/storage/src/lib/git-sparse-checkout.ts

@@ -30,6 +30,93 @@ if (typeof globalThis.Buffer === 'undefined') {
 	globalThis.Buffer = BufferPolyfill;
 }
 
+/**
+ * Module-level storage for GitHub authentication token.
+ * This is set by browser-specific code when GitHub OAuth is available.
+ */
+let gitHubAuthToken: string | undefined;
+
+/**
+ * Sets the GitHub authentication token to use for git protocol requests.
+ * This is intended to be called by browser-specific initialization code
+ * where GitHub OAuth is available.
+ *
+ * @param token The GitHub OAuth token, or undefined to clear it
+ */
+export function setGitHubAuthToken(token: string | undefined) {
+	gitHubAuthToken = token;
+}
+
+/**
+ * Custom error class for GitHub authentication failures.
+ */
+export class GitHubAuthenticationError extends Error {
+	constructor(public repoUrl: string, public status: number) {
+		super(
+			`Authentication required to access private GitHub repository: ${repoUrl}`
+		);
+		this.name = 'GitHubAuthenticationError';
+	}
+}
+
+/**
+ * Checks if a URL is a GitHub URL by parsing the hostname.
+ * Handles both direct GitHub URLs and CORS-proxied URLs.
+ *
+ * @param url The URL to check
+ * @returns true if the URL is definitively a GitHub URL, false otherwise
+ */
+function isGitHubUrl(url: string): boolean {
+	try {
+		const parsedUrl = new URL(url);
+
+		// Direct GitHub URL - check hostname
+		if (parsedUrl.hostname === 'github.com') {
+			return true;
+		}
+
+		// CORS-proxied GitHub URL - the actual GitHub URL should be in the query string
+		// Format: https://proxy.com/cors-proxy.php?https://github.com/...
+		// We need to extract and validate the proxied URL's hostname
+		const queryString = parsedUrl.search.substring(1); // Remove leading '?'
+		if (queryString) {
+			// Try to extract a URL from the query string
+			// Match URLs that start with http:// or https://
+			const urlMatch = queryString.match(/^(https?:\/\/[^\s&]+)/);
+			if (urlMatch) {
+				try {
+					const proxiedUrl = new URL(urlMatch[1]);
+					if (proxiedUrl.hostname === 'github.com') {
+						return true;
+					}
+				} catch {
+					// Invalid proxied URL, ignore
+				}
+			}
+		}
+
+		return false;
+	} catch {
+		// If URL parsing fails, return false
+		return false;
+	}
+}
+
+/**
+ * Adds GitHub authentication headers to a headers object if a token is available
+ * and the URL is a GitHub URL.
+ */
+function addGitHubAuthHeaders(headers: HeadersInit, url: string): void {
+	if (gitHubAuthToken && isGitHubUrl(url)) {
+		// GitHub Git protocol requires Basic Auth with token as username and empty password
+		const basicAuth = btoa(`${gitHubAuthToken}:`);
+		headers['Authorization'] = `Basic ${basicAuth}`;
+		// Tell CORS proxy to forward the Authorization header
+		// Must be lowercase because the CORS proxy lowercases header names for comparison
+		headers['X-Cors-Proxy-Allowed-Request-Headers'] = 'authorization';
+	}
+}
+
 /**
  * Downloads specific files from a git repository.
  * It uses the git protocol over HTTP to fetch the files. It only uses
@@ -253,17 +340,33 @@ export async function listGitRefs(
 		])) as any
 	);
 
+	const headers: HeadersInit = {
+		Accept: 'application/x-git-upload-pack-advertisement',
+		'content-type': 'application/x-git-upload-pack-request',
+		'Content-Length': `${packbuffer.length}`,
+		'Git-Protocol': 'version=2',
+	};
+
+	addGitHubAuthHeaders(headers, repoUrl);
+
 	const response = await fetch(repoUrl + '/git-upload-pack', {
 		method: 'POST',
-		headers: {
-			Accept: 'application/x-git-upload-pack-advertisement',
-			'content-type': 'application/x-git-upload-pack-request',
-			'Content-Length': `${packbuffer.length}`,
-			'Git-Protocol': 'version=2',
-		},
+		headers,
 		body: packbuffer as any,
 	});
 
+	if (!response.ok) {
+		if (
+			(response.status === 401 || response.status === 403) &&
+			isGitHubUrl(repoUrl)
+		) {
+			throw new GitHubAuthenticationError(repoUrl, response.status);
+		}
+		throw new Error(
+			`Failed to fetch git refs from ${repoUrl}: ${response.status} ${response.statusText}`
+		);
+	}
+
 	const refs: Record<string, string> = {};
 	for await (const line of parseGitResponseLines(response)) {
 		const spaceAt = line.indexOf(' ');
@@ -403,16 +506,32 @@ async function fetchWithoutBlobs(repoUrl: string, commitHash: string) {
 		])) as any
 	);
 
+	const headers: HeadersInit = {
+		Accept: 'application/x-git-upload-pack-advertisement',
+		'content-type': 'application/x-git-upload-pack-request',
+		'Content-Length': `${packbuffer.length}`,
+	};
+
+	addGitHubAuthHeaders(headers, repoUrl);
+
 	const response = await fetch(repoUrl + '/git-upload-pack', {
 		method: 'POST',
-		headers: {
-			Accept: 'application/x-git-upload-pack-advertisement',
-			'content-type': 'application/x-git-upload-pack-request',
-			'Content-Length': `${packbuffer.length}`,
-		},
+		headers,
 		body: packbuffer as any,
 	});
 
+	if (!response.ok) {
+		if (
+			(response.status === 401 || response.status === 403) &&
+			isGitHubUrl(repoUrl)
+		) {
+			throw new GitHubAuthenticationError(repoUrl, response.status);
+		}
+		throw new Error(
+			`Failed to fetch git objects from ${repoUrl}: ${response.status} ${response.statusText}`
+		);
+	}
+
 	const iterator = streamToIterator(response.body!);
 	const parsed = await parseUploadPackResponse(iterator);
 	const packfile = Buffer.from((await collect(parsed.packfile)) as any);
@@ -552,16 +671,32 @@ async function fetchObjects(url: string, objectHashes: string[]) {
 		])) as any
 	);
 
+	const headers: HeadersInit = {
+		Accept: 'application/x-git-upload-pack-advertisement',
+		'content-type': 'application/x-git-upload-pack-request',
+		'Content-Length': `${packbuffer.length}`,
+	};
+
+	addGitHubAuthHeaders(headers, url);
+
 	const response = await fetch(url + '/git-upload-pack', {
 		method: 'POST',
-		headers: {
-			Accept: 'application/x-git-upload-pack-advertisement',
-			'content-type': 'application/x-git-upload-pack-request',
-			'Content-Length': `${packbuffer.length}`,
-		},
+		headers,
 		body: packbuffer as any,
 	});
 
+	if (!response.ok) {
+		if (
+			(response.status === 401 || response.status === 403) &&
+			isGitHubUrl(url)
+		) {
+			throw new GitHubAuthenticationError(url, response.status);
+		}
+		throw new Error(
+			`Failed to fetch git objects from ${url}: ${response.status} ${response.statusText}`
+		);
+	}
+
 	const iterator = streamToIterator(response.body!);
 	const parsed = await parseUploadPackResponse(iterator);
 	const packfile = Buffer.from((await collect(parsed.packfile)) as any);

packages/playground/website/src/components/github-private-repo-auth-modal/index.tsx

@@ -0,0 +1,56 @@
+import { Modal } from '../modal';
+import { useAppDispatch } from '../../lib/state/redux/store';
+import { setActiveModal } from '../../lib/state/redux/slice-ui';
+import { Icon } from '@wordpress/components';
+import { GitHubIcon } from '../../github/github';
+import css from '../../github/github-oauth-guard/style.module.css';
+
+const OAUTH_FLOW_URL = 'oauth.php?redirect=1';
+
+export function GitHubPrivateRepoAuthModal() {
+	const dispatch = useAppDispatch();
+
+	// Remove the modal parameter from the redirect URI
+	// so it doesn't persist after OAuth completes
+	const redirectUrl = new URL(window.location.href);
+	redirectUrl.searchParams.delete('modal');
+
+	const urlParams = new URLSearchParams();
+	urlParams.set('redirect_uri', redirectUrl.toString());
+	const oauthUrl = `${OAUTH_FLOW_URL}&${urlParams.toString()}`;
+
+	return (
+		<Modal
+			title="Connect to GitHub"
+			onRequestClose={() => dispatch(setActiveModal(null))}
+		>
+			<div>
+				<p>
+					This blueprint requires access to a private GitHub
+					repository.
+				</p>
+				<p>
+					To continue, please connect your GitHub account with
+					WordPress Playground.
+				</p>
+
+				<p>
+					<a
+						aria-label="Connect your GitHub account"
+						className={css.githubButton}
+						href={oauthUrl}
+					>
+						<Icon icon={GitHubIcon} />
+						Connect your GitHub account
+					</a>
+				</p>
+				<p>
+					<small>
+						Your access token is stored only in memory and will be
+						cleared when you close this tab.
+					</small>
+				</p>
+			</div>
+		</Modal>
+	);
+}

packages/playground/website/src/components/layout/index.tsx

@@ -31,6 +31,7 @@ import { PreviewPRModal } from '../../github/preview-pr';
 import { MissingSiteModal } from '../missing-site-modal';
 import { RenameSiteModal } from '../rename-site-modal';
 import { SaveSiteModal } from '../save-site-modal';
+import { GitHubPrivateRepoAuthModal } from '../github-private-repo-auth-modal';
 
 acquireOAuthTokenIfNeeded();
 
@@ -41,6 +42,7 @@ export const modalSlugs = {
 	IMPORT_FORM: 'import-form',
 	GITHUB_IMPORT: 'github-import',
 	GITHUB_EXPORT: 'github-export',
+	GITHUB_PRIVATE_REPO_AUTH: 'github-private-repo-auth',
 	PREVIEW_PR_WP: 'preview-pr-wordpress',
 	PREVIEW_PR_GUTENBERG: 'preview-pr-gutenberg',
 	MISSING_SITE_PROMPT: 'missing-site-prompt',
@@ -216,6 +218,8 @@ function Modals(blueprint: BlueprintV1Declaration) {
 		return <RenameSiteModal />;
 	} else if (currentModal === modalSlugs.SAVE_SITE) {
 		return <SaveSiteModal />;
+	} else if (currentModal === modalSlugs.GITHUB_PRIVATE_REPO_AUTH) {
+		return <GitHubPrivateRepoAuthModal />;
 	}
 
 	if (query.get('gh-ensure-auth') === 'yes') {

packages/playground/website/src/github/acquire-oauth-token-if-needed.tsx

@@ -1,5 +1,6 @@
 import { setOAuthToken, oAuthState } from './state';
 import { oauthCode } from './github-oauth-guard';
+import { setGitHubAuthToken } from '@wp-playground/storage';
 
 export async function acquireOAuthTokenIfNeeded() {
 	if (!oauthCode) {
@@ -25,15 +26,21 @@ export async function acquireOAuthTokenIfNeeded() {
 		});
 		const body = await response.json();
 		setOAuthToken(body.access_token);
+		setGitHubAuthToken(body.access_token);
+
+		// Remove the ?code=... from the URL and clean up any modal state
+		const url = new URL(window.location.href);
+		url.searchParams.delete('code');
+		url.searchParams.delete('modal');
+		// Keep the hash (it contains the blueprint)
+
+		// Reload the page to retry the blueprint with the new token
+		// This is necessary because the blueprint failed before we had the token
+		window.location.href = url.toString();
 	} finally {
 		oAuthState.value = {
 			...oAuthState.value,
 			isAuthorizing: false,
 		};
 	}
-
-	// Remove the ?code=... from the URL
-	const url = new URL(window.location.href);
-	url.searchParams.delete('code');
-	window.history.replaceState(null, '', url.toString());
 }

packages/playground/website/src/github/state.ts

@@ -1,4 +1,5 @@
 import { signal } from '@preact/signals-react';
+import { setGitHubAuthToken } from '@wp-playground/storage';
 
 export interface GitHubOAuthState {
 	token?: string;
@@ -16,6 +17,11 @@ export const oAuthState = signal<GitHubOAuthState>({
 	token: shouldStoreToken ? localStorage.getItem(TOKEN_KEY) || '' : '',
 });
 
+// Initialize the git-sparse-checkout module with the token if it exists
+if (oAuthState.value.token) {
+	setGitHubAuthToken(oAuthState.value.token);
+}
+
 export function setOAuthToken(token?: string) {
 	if (shouldStoreToken) {
 		localStorage.setItem(TOKEN_KEY, token || '');
@@ -24,4 +30,6 @@ export function setOAuthToken(token?: string) {
 		...oAuthState.value,
 		token,
 	};
+	// Also update the token in the git-sparse-checkout module
+	setGitHubAuthToken(token);
 }

packages/playground/website/src/lib/state/redux/boot-site-client.ts

@@ -198,6 +198,13 @@ export function bootSiteClient(
 				(e as any).originalErrorClassName === 'ArtifactExpiredError'
 			) {
 				dispatch(setActiveSiteError('github-artifact-expired'));
+			} else if (
+				(e as any).name === 'GitHubAuthenticationError' ||
+				(e as any).originalErrorClassName ===
+					'GitHubAuthenticationError' ||
+				(e as any).cause?.name === 'GitHubAuthenticationError'
+			) {
+				dispatch(setActiveModal(modalSlugs.GITHUB_PRIVATE_REPO_AUTH));
 			} else {
 				dispatch(setActiveSiteError('site-boot-failed'));
 				dispatch(setActiveModal(modalSlugs.ERROR_REPORT));

packages/playground/website/src/lib/state/redux/slice-ui.ts

@@ -34,10 +34,13 @@ const initialState: UIState = {
 	 * Don't show certain modals after a page refresh.
 	 * The save-site and error-report modals should only be triggered by user actions,
 	 * not by loading a URL with the modal parameter.
+	 * The github-private-repo-auth modal should only be triggered by authentication errors,
+	 * not by loading a URL with the modal parameter.
 	 */
 	activeModal:
 		query.get('modal') === 'error-report' ||
-		query.get('modal') === 'save-site'
+		query.get('modal') === 'save-site' ||
+		query.get('modal') === 'github-private-repo-auth'
 			? null
 			: query.get('modal') || null,
 	offline: !navigator.onLine,
@@ -122,7 +125,8 @@ export const listenToOnlineOfflineEventsMiddleware: Middleware =
 			 */
 			if (
 				query.get('modal') === 'error-report' ||
-				query.get('modal') === 'save-site'
+				query.get('modal') === 'save-site' ||
+				query.get('modal') === 'github-private-repo-auth'
 			) {
 				setTimeout(() => {
 					store.dispatch(uiSlice.actions.setActiveModal(null));

packages/playground/website/vite.oauth.ts

@@ -18,7 +18,7 @@ export const oAuthMiddleware = async (
 	if (query.get('redirect') === '1') {
 		const params: Record<string, string> = {
 			client_id: CLIENT_ID!,
-			scope: 'public_repo',
+			scope: 'repo',
 		};
 		if (query.has('redirect_uri')) {
 			params.redirect_uri = query.get('redirect_uri')!;