Support for Authentication Schemes - Decouple user auth from GitHub API credentials

.env

@@ -25,5 +25,23 @@ NUXT_SESSION_PASSWORD=something_long_and_random_thats_at_least_32_characters
 NUXT_OAUTH_GITHUB_CLIENT_ID=
 NUXT_OAUTH_GITHUB_CLIENT_SECRET=
 
+# for Google OAuth
+NUXT_OAUTH_GOOGLE_CLIENT_ID=
+NUXT_OAUTH_GOOGLE_CLIENT_SECRET=
+
+# for Microsoft OAuth
+NUXT_OAUTH_MICROSOFT_CLIENT_ID=
+NUXT_OAUTH_MICROSOFT_CLIENT_SECRET=
+NUXT_OAUTH_MICROSOFT_TENANT=
+
+# GitHub App for API calls (decoupled from user authentication)
+NUXT_GITHUB_APP_ID=
+NUXT_GITHUB_APP_PRIVATE_KEY=
+NUXT_GITHUB_APP_INSTALLATION_ID=
+
+# Authorization settings
+# Comma-separated list of usernames authorized to access the dashboard
+NUXT_AUTHORIZED_USERS=
+
 # to use a corporate proxy
 # HTTP_PROXY=http://proxy.company.com:8080

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,37 @@
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for easy validation, and
+# allow manual testing through the repository's "Actions" tab
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set the permissions to the lowest permissions possible needed for your steps.
+    # Copilot will be given its own token for its operations.
+    permissions:
+      # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete.
+      contents: read
+
+    # You can define any steps you want, and they will run before the agent starts.
+    # If you do not check out your code, Copilot will do this for you.
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: lts/*
+    - name: Install dependencies
+      run: npm ci
+    - name: Build the app
+      run: npm run build
+    - name: Install Playwright Browsers
+      run: npx playwright install --with-deps

README.md

@@ -165,6 +165,8 @@ For more information see [Nuxt Sessions and Authentication](https://nuxt.com/doc
 
 #### NUXT_PUBLIC_USING_GITHUB_AUTH
 
+**Deprecated in v2.1.0+** - Use the new authentication scheme below for better security and flexibility.
+
 Default is `false`. When set to `true`, GitHub OAuth App Authentication will be performed to verify users' access to the dashboard.
 
 Variables required for GitHub Auth are:
@@ -175,6 +177,102 @@ Variables required for GitHub Auth are:
 >[!WARNING]
 > Only users with permissions (scopes listed in [NUXT_GITHUB_TOKEN](#NUXT_GITHUB_TOKEN)) can view copilot metrics, GitHub uses the authenticated users permissions to make API calls for data.
 
+## New Authentication Schemes (v2.1.0+)
+
+Starting from version 2.1.0, the application supports decoupled authentication where user authentication is separate from GitHub API credentials. This provides better security and flexibility.
+
+### Authentication Methods
+
+The application supports multiple authentication schemes in order of priority:
+
+1. **GitHub App Authentication (Recommended)** - Uses GitHub App credentials for API calls, separate from user authentication
+2. **Personal Access Token** - Uses a fixed token for both authentication and API calls (legacy mode)
+3. **User OAuth Token** - Uses authenticated user's token for API calls (deprecated)
+
+### GitHub App Authentication (Recommended)
+
+This is the most secure approach where a GitHub App provides API access while users authenticate via various OAuth providers.
+
+**Required Environment Variables:**
+```bash
+# GitHub App for API calls (separate from user authentication)
+NUXT_GITHUB_APP_ID=your_github_app_id
+NUXT_GITHUB_APP_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
+NUXT_GITHUB_APP_INSTALLATION_ID=your_installation_id
+
+# Optional: Restrict access to specific users
+NUXT_AUTHORIZED_USERS=alice,bob,charlie
+```
+
+**Benefits:**
+- Decouples user authentication from GitHub API access
+- Users don't need GitHub API permissions
+- Supports multiple OAuth providers (GitHub, Google, Microsoft, etc.)
+- Better security through principle of least privilege
+
+### User Authorization
+
+When using GitHub App authentication, you can optionally restrict access using:
+
+- **NUXT_AUTHORIZED_USERS** - Comma-separated list of usernames authorized to access the dashboard
+  - If not set, all authenticated users are allowed
+  - Usernames are matched case-insensitively
+  - Works with any OAuth provider (uses `login`, `name`, or user ID)
+
+Example:
+```bash
+NUXT_AUTHORIZED_USERS=alice,[email protected],charlie
+```
+
+### Supported OAuth Providers
+
+The application supports 20+ OAuth providers through nuxt-auth-utils:
+
+- **GitHub** - `/auth/github`
+- **Google** - `/auth/google` 
+- **Microsoft** - `/auth/microsoft`
+- Auth0, AWS Cognito, Discord, Facebook, GitLab, LinkedIn, and more
+
+**Configuration Examples:**
+
+GitHub OAuth:
+```bash
+NUXT_OAUTH_GITHUB_CLIENT_ID=your_github_client_id
+NUXT_OAUTH_GITHUB_CLIENT_SECRET=your_github_client_secret
+```
+
+Google OAuth:
+```bash
+NUXT_OAUTH_GOOGLE_CLIENT_ID=your_google_client_id
+NUXT_OAUTH_GOOGLE_CLIENT_SECRET=your_google_client_secret
+```
+
+Microsoft OAuth:
+```bash
+NUXT_OAUTH_MICROSOFT_CLIENT_ID=your_microsoft_client_id
+NUXT_OAUTH_MICROSOFT_CLIENT_SECRET=your_microsoft_client_secret
+NUXT_OAUTH_MICROSOFT_TENANT=your_tenant_id_or_common
+```
+
+### GitHub App Setup
+
+1. Create a GitHub App in your organization/enterprise settings
+2. Generate a private key and save it securely
+3. Install the app in your organization/enterprise
+4. Grant the following permissions:
+   - Repository: `metadata:read`
+   - Organization: `administration:read`, `billing:read`
+   - Enterprise: `administration:read`, `billing:read` (if using enterprise scope)
+
+### Migration from Legacy Authentication
+
+If you're currently using `NUXT_PUBLIC_USING_GITHUB_AUTH=true`, you can migrate to the new system:
+
+1. Set up a GitHub App (recommended) or keep using PAT
+2. Configure OAuth providers for user authentication
+3. Optionally set `NUXT_AUTHORIZED_USERS` for access control
+4. Remove `NUXT_PUBLIC_USING_GITHUB_AUTH` (will default to false)
+
 #### Support for HTTP Proxy HTTP_PROXY
 
 Solution supports HTTP Proxy settings when running in corporate environment. Simple set `HTTP_PROXY` environment variable.

nuxt.config.ts

@@ -77,6 +77,12 @@ export default defineNuxtConfig({
   },
   runtimeConfig: {
     githubToken: '',
+    // GitHub App credentials for API calls (decoupled from user auth)
+    githubAppId: '',
+    githubAppPrivateKey: '',
+    githubAppInstallationId: '',
+    // Authorization settings
+    authorizedUsers: '',
     session: {
       // set to 6h - same as the GitHub token
       maxAge: 60 * 60 * 6,
@@ -86,6 +92,15 @@ export default defineNuxtConfig({
       github: {
         clientId: '',
         clientSecret: ''
+      },
+      google: {
+        clientId: '',
+        clientSecret: ''
+      },
+      microsoft: {
+        clientId: '',
+        clientSecret: '',
+        tenant: ''
       }
     },
     public: {