fix: use GitHub App installation token instead of encrypted PAT for analysis jobs

Shaurya Singh · Shaurya Singh · commit 76bd893653c6 · 2025-12-21T10:20:50.000+05:30
diff --git a/src/analysis/pipeline.ts b/src/analysis/pipeline.ts
@@ -1,6 +1,6 @@
 import { Job } from 'bullmq';
 import { AnalysisJobData } from '../queue/jobs';
-import { createGitHubClient } from '../github/client';
+import { getInstallationOctokit } from '../github/app-client';
 import { fetchRepoSnapshot } from '../github/fetchers';
 import { generateAllOutputs } from '../ai/generator';
 import { decrypt } from '../utils/encryption';
@@ -11,7 +11,7 @@ import db from '../db/client';
  * Main analysis pipeline processor
  */
 export async function processAnalysisJob(job: Job<AnalysisJobData>): Promise<void> {
-  const { jobId, repoId, userId, owner, repo, branch, depth, tone, ignorePaths, accessToken } = job.data;
+  const { jobId, repoId, userId, owner, repo, branch, depth, tone, ignorePaths, installationId } = job.data;
 
   try {
     // Update job status to running
@@ -20,8 +20,8 @@ export async function processAnalysisJob(job: Job<AnalysisJobData>): Promise<voi
 
     // Step 1: Fetch GitHub data (0-25%)
     await job.updateProgress(5);
-    const decryptedToken = decrypt(accessToken);
-    const octokit = createGitHubClient(decryptedToken);
+    console.log(`📡 Getting GitHub App installation token for installation: ${installationId}`);
+    const octokit = await getInstallationOctokit(installationId);
 
     await updateJobStatus(jobId, 'running', 25, 'Fetching repository data...');
     const snapshot = await fetchRepoSnapshot(octokit, owner, repo, branch, depth, ignorePaths);
diff --git a/src/queue/jobs.ts b/src/queue/jobs.ts
@@ -11,7 +11,7 @@ export interface AnalysisJobData {
   depth: 'fast' | 'deep';
   tone: 'concise' | 'detailed';
   ignorePaths: string[];
-  accessToken: string;
+  installationId: number;
 }
 
 export interface ExportJobData {
diff --git a/src/routes/jobs.ts b/src/routes/jobs.ts
@@ -3,6 +3,7 @@ import { AuthenticatedRequest, requireAuth } from '../auth/middleware';
 import { resolveRepoId, verifyJobOwnership } from '../auth/ownership';
 import { enqueueAnalysisJob } from '../queue/jobs';
 import { generateSnapshotHash, findRecentJob, createAnalysisJob } from '../analysis/idempotency';
+import { getUserInstallationId } from '../github/app-client';
 import db from '../db/client';
 
 export default async function jobsRoutes(fastify: FastifyInstance) {
@@ -39,17 +40,12 @@ export default async function jobsRoutes(fastify: FastifyInstance) {
       const repo = repoResult.rows[0];
       const [owner, repoName] = repo.full_name.split('/');
 
-      // Get GitHub access token
-      const tokenResult = await db.query(
-        'SELECT access_token_encrypted FROM github_accounts WHERE user_id = $1 LIMIT 1',
-        [req.userId]
-      );
+      // Get GitHub App installation ID
+      const installationId = await getUserInstallationId(req.userId, db);
 
-      if (tokenResult.rows.length === 0) {
-        return reply.status(404).send({ error: 'No GitHub account connected' });
+      if (!installationId) {
+        return reply.status(404).send({ error: 'No GitHub App installed. Please install the GitHub App.' });
       }
-
-      const accessToken = tokenResult.rows[0].access_token_encrypted;
       
       // For idempotency, using current timestamp as part of hash
       // In production, would fetch latest commit SHA
@@ -84,7 +80,7 @@ export default async function jobsRoutes(fastify: FastifyInstance) {
         depth: repo.analysis_depth,
         tone: repo.output_tone,
         ignorePaths: repo.ignore_paths || [],
-        accessToken,
+        installationId,
       });
 
       return reply.status(202).send({
diff --git a/src/scheduler/index.ts b/src/scheduler/index.ts
@@ -44,7 +44,7 @@ async function checkScheduledRepos() {
          rs.output_tone,
          rs.ignore_paths,
          rs.schedule,
-         ga.access_token_encrypted,
+         ga.installation_id,
          (SELECT created_at FROM analysis_jobs 
           WHERE repo_id = r.id 
           ORDER BY created_at DESC 
@@ -53,7 +53,8 @@ async function checkScheduledRepos() {
        JOIN repo_settings rs ON rs.repo_id = r.id
        JOIN github_accounts ga ON ga.user_id = r.user_id
        WHERE r.status = 'active'
-         AND rs.schedule != 'manual'`
+         AND rs.schedule != 'manual'
+         AND ga.installation_id IS NOT NULL`
     );
 
     for (const repo of result.rows) {
@@ -150,7 +151,7 @@ async function scheduleRepoAnalysis(repo: any) {
       depth: repo.analysis_depth,
       tone: repo.output_tone,
       ignorePaths: repo.ignore_paths || [],
-      accessToken: repo.access_token_encrypted,
+      installationId: repo.installation_id,
     });
 
     console.log(`✅ Scheduled analysis for ${repo.full_name} (Job ID: ${jobId})`);

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ export interface AnalysisJobData {`
`11`	`11`	`depth: 'fast' \| 'deep';`
`12`	`12`	`tone: 'concise' \| 'detailed';`
`13`	`13`	`ignorePaths: string[];`
`14`		`- accessToken: string;`
	`14`	`+ installationId: number;`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`export interface ExportJobData {`