fix: verify PAT gist scope (#1722)

codebytere · web-flow · commit e1941d827b9b · 2025-07-22T10:16:42.000+02:00
diff --git a/src/renderer/components/dialog-token.tsx b/src/renderer/components/dialog-token.tsx
@@ -14,6 +14,7 @@ interface TokenDialogState {
   tokenInput: string;
   verifying: boolean;
   error: boolean;
+  errorMessage?: string;
 }
 
 const TOKEN_SCOPES = ['gist'].join();
@@ -37,6 +38,7 @@ export const TokenDialog = observer(
       this.state = {
         verifying: false,
         error: false,
+        errorMessage: undefined,
         tokenInput: '',
       };
 
@@ -49,28 +51,79 @@ export const TokenDialog = observer(
     }
 
     /**
-     * Handles the submission of a token
+     * Validates a GitHub token and checks for required scopes.
+     */
+    private async validateGitHubToken(token: string): Promise<{
+      isValid: boolean;
+      scopes: string[];
+      hasGistScope: boolean;
+      user?: any;
+      error?: string;
+    }> {
+      try {
+        const octokit = await getOctokit({ gitHubToken: token } as AppState);
+        const response = await octokit.users.getAuthenticated();
+
+        const scopes = response.headers['x-oauth-scopes']?.split(', ') || [];
+        const hasGistScope = scopes.includes('gist');
+
+        return {
+          isValid: true,
+          scopes,
+          hasGistScope,
+          user: response.data,
+        };
+      } catch (error) {
+        return {
+          isValid: false,
+          scopes: [],
+          hasGistScope: false,
+          error: error.message,
+        };
+      }
+    }
+
+    /**
+     * Handles the submission of a token and verifies
+     * that it has the correct scopes.
      */
     public async onSubmitToken(): Promise<void> {
       if (!this.state.tokenInput) return;
-      this.setState({ verifying: true });
-      this.props.appState.gitHubToken = this.state.tokenInput;
-
-      const octo = await getOctokit(this.props.appState);
+      this.setState({ verifying: true, error: false, errorMessage: undefined });
+
+      const validation = await this.validateGitHubToken(this.state.tokenInput);
+
+      if (!validation.isValid) {
+        console.warn(`Authenticating against GitHub failed`, validation.error);
+        this.setState({
+          verifying: false,
+          error: true,
+          errorMessage:
+            'Invalid GitHub token. Please check your token and try again.',
+        });
+        this.props.appState.gitHubToken = null;
+        return;
+      }
 
-      try {
-        const { data } = await octo.users.getAuthenticated();
-        this.props.appState.gitHubAvatarUrl = data.avatar_url;
-        this.props.appState.gitHubLogin = data.login;
-        this.props.appState.gitHubName = data.name;
-        this.setState({ verifying: false, error: false });
-      } catch (error) {
-        console.warn(`Authenticating against GitHub failed`, error);
-        this.setState({ verifying: false, error: true });
+      if (!validation.hasGistScope) {
+        console.warn(`Token missing required gist scope`);
+        this.setState({
+          verifying: false,
+          error: true,
+          errorMessage:
+            'Token is missing the "gist" scope. Please generate a new token with gist permissions.',
+        });
         this.props.appState.gitHubToken = null;
         return;
       }
 
+      // Token is valid and has required scopes.
+      this.props.appState.gitHubToken = this.state.tokenInput;
+      this.props.appState.gitHubAvatarUrl = validation.user.avatar_url;
+      this.props.appState.gitHubLogin = validation.user.login;
+      this.props.appState.gitHubName = validation.user.name;
+
+      this.setState({ verifying: false, error: false });
       this.props.appState.isTokenDialogShowing = false;
     }
 
@@ -89,6 +142,7 @@ export const TokenDialog = observer(
       this.setState({
         verifying: false,
         error: false,
+        errorMessage: undefined,
         tokenInput: '',
       });
     }
@@ -141,11 +195,12 @@ export const TokenDialog = observer(
     }
 
     get invalidWarning() {
+      const message =
+        this.state.errorMessage ||
+        'Please provide a valid GitHub Personal Access Token';
       return (
         <>
-          <Callout intent={Intent.DANGER}>
-            Please provide a valid GitHub Personal Access Token
-          </Callout>
+          <Callout intent={Intent.DANGER}>{message}</Callout>
           <br />
         </>
       );
diff --git a/tests/renderer/components/dialog-token-spec.tsx b/tests/renderer/components/dialog-token-spec.tsx
@@ -65,12 +65,17 @@ describe('TokenDialog component', () => {
     const wrapper = shallow(<TokenDialog appState={store} />);
     const instance: any = wrapper.instance();
 
-    wrapper.setState({ verifying: true, tokenInput: 'hello' });
+    wrapper.setState({
+      verifying: true,
+      tokenInput: 'hello',
+      errorMessage: 'test error',
+    });
     instance.reset();
 
     expect(wrapper.state()).toEqual({
       verifying: false,
       error: false,
+      errorMessage: undefined,
       tokenInput: '',
     });
   });
@@ -79,12 +84,17 @@ describe('TokenDialog component', () => {
     const wrapper = shallow(<TokenDialog appState={store} />);
     const instance: any = wrapper.instance();
 
-    wrapper.setState({ verifying: true, tokenInput: 'hello' });
+    wrapper.setState({
+      verifying: true,
+      tokenInput: 'hello',
+      errorMessage: 'test error',
+    });
     instance.onClose();
 
     expect(wrapper.state()).toEqual({
       verifying: false,
       error: false,
+      errorMessage: undefined,
       tokenInput: '',
     });
   });
@@ -121,7 +131,12 @@ describe('TokenDialog component', () => {
       mockOctokit = {
         authenticate: vi.fn(),
         users: {
-          getAuthenticated: vi.fn().mockResolvedValue({ data: mockUser }),
+          getAuthenticated: vi.fn().mockResolvedValue({
+            data: mockUser,
+            headers: {
+              'x-oauth-scopes': 'gist, repo',
+            },
+          }),
         },
       } as unknown as Octokit;
 
@@ -149,11 +164,55 @@ describe('TokenDialog component', () => {
       expect(store.gitHubLogin).toBe(mockUser.login);
       expect(store.gitHubName).toBe(mockUser.name);
       expect(store.gitHubAvatarUrl).toBe(mockUser.avatar_url);
+      expect(wrapper.state('error')).toBe(false);
+      expect(store.isTokenDialogShowing).toBe(false);
+    });
+
+    it('handles an invalid token error', async () => {
+      vi.mocked(mockOctokit.users.getAuthenticated).mockRejectedValue(
+        new Error('Bad credentials'),
+      );
+
+      const wrapper = shallow(<TokenDialog appState={store} />);
+      wrapper.setState({ tokenInput: mockValidToken });
+      const instance: any = wrapper.instance();
+
+      await instance.onSubmitToken();
+
+      expect(wrapper.state('error')).toBe(true);
+      expect(wrapper.state('errorMessage')).toBe(
+        'Invalid GitHub token. Please check your token and try again.',
+      );
+      expect(store.gitHubToken).toEqual(null);
+    });
+
+    it('handles missing gist scope', async () => {
+      vi.mocked(mockOctokit.users.getAuthenticated).mockResolvedValue({
+        data: mockUser,
+        headers: {
+          'x-oauth-scopes': 'repo, user', // Missing 'gist' scope
+        },
+      } as any);
+
+      const wrapper = shallow(<TokenDialog appState={store} />);
+      wrapper.setState({ tokenInput: mockValidToken });
+      const instance: any = wrapper.instance();
+
+      await instance.onSubmitToken();
+
+      expect(wrapper.state('error')).toBe(true);
+      expect(wrapper.state('errorMessage')).toBe(
+        'Token is missing the "gist" scope. Please generate a new token with gist permissions.',
+      );
+      expect(store.gitHubToken).toEqual(null);
     });
 
-    it('handles an error', async () => {
+    it('handles empty scopes header', async () => {
       vi.mocked(mockOctokit.users.getAuthenticated).mockResolvedValue({
-        data: null,
+        data: mockUser,
+        headers: {
+          // No x-oauth-scopes header
+        },
       } as any);
 
       const wrapper = shallow(<TokenDialog appState={store} />);
@@ -163,7 +222,110 @@ describe('TokenDialog component', () => {
       await instance.onSubmitToken();
 
       expect(wrapper.state('error')).toBe(true);
+      expect(wrapper.state('errorMessage')).toBe(
+        'Token is missing the "gist" scope. Please generate a new token with gist permissions.',
+      );
       expect(store.gitHubToken).toEqual(null);
     });
   });
+
+  describe('validateGitHubToken()', () => {
+    let mockOctokit: Octokit;
+    const mockUser = {
+      avatar_url: 'https://avatars.fake/hi',
+      login: 'test-login',
+      name: 'Test User',
+    } as const;
+
+    beforeEach(() => {
+      mockOctokit = {
+        users: {
+          getAuthenticated: vi.fn(),
+        },
+      } as unknown as Octokit;
+
+      vi.mocked(getOctokit).mockResolvedValue(mockOctokit);
+    });
+
+    it('validates a token with gist scope', async () => {
+      vi.mocked(mockOctokit.users.getAuthenticated).mockResolvedValue({
+        data: mockUser,
+        headers: {
+          'x-oauth-scopes': 'gist, repo, user',
+        },
+      } as any);
+
+      const wrapper = shallow(<TokenDialog appState={store} />);
+      const instance: any = wrapper.instance();
+
+      const result = await instance.validateGitHubToken('valid-token');
+
+      expect(result).toEqual({
+        isValid: true,
+        scopes: ['gist', 'repo', 'user'],
+        hasGistScope: true,
+        user: mockUser,
+      });
+    });
+
+    it('validates a token without gist scope', async () => {
+      vi.mocked(mockOctokit.users.getAuthenticated).mockResolvedValue({
+        data: mockUser,
+        headers: {
+          'x-oauth-scopes': 'repo, user',
+        },
+      } as any);
+
+      const wrapper = shallow(<TokenDialog appState={store} />);
+      const instance: any = wrapper.instance();
+
+      const result = await instance.validateGitHubToken('token-without-gist');
+
+      expect(result).toEqual({
+        isValid: true,
+        scopes: ['repo', 'user'],
+        hasGistScope: false,
+        user: mockUser,
+      });
+    });
+
+    it('handles invalid token', async () => {
+      vi.mocked(mockOctokit.users.getAuthenticated).mockRejectedValue(
+        new Error('Bad credentials'),
+      );
+
+      const wrapper = shallow(<TokenDialog appState={store} />);
+      const instance: any = wrapper.instance();
+
+      const result = await instance.validateGitHubToken('invalid-token');
+
+      expect(result).toEqual({
+        isValid: false,
+        scopes: [],
+        hasGistScope: false,
+        error: 'Bad credentials',
+      });
+    });
+
+    it('handles missing scopes header', async () => {
+      vi.mocked(mockOctokit.users.getAuthenticated).mockResolvedValue({
+        data: mockUser,
+        headers: {},
+      } as any);
+
+      const wrapper = shallow(<TokenDialog appState={store} />);
+      const instance: any = wrapper.instance();
+
+      const result = await instance.validateGitHubToken(
+        'token-no-scopes-header',
+      );
+
+      expect(result).toEqual({
+        isValid: true,
+        scopes: [],
+        hasGistScope: false,
+        user: mockUser,
+      });
+    });
+  });
 });
