Module: Legion::Extensions::Github::Runners::Auth

Includes:
App::Runners::Auth, App::Runners::CredentialStore, Helpers::Client, OAuth::Runners::Auth, Helpers::Lex
Defined in:
lib/legion/extensions/github/runners/auth.rb

Constant Summary

Constants included from Helpers::Client

Helpers::Client::CREDENTIAL_RESOLVERS

Constants included from Helpers::TokenCache

Helpers::TokenCache::TOKEN_BUFFER_SECONDS

Class Method Summary collapse

Instance Method Summary collapse

Methods included from OAuth::Runners::Auth

#authorize_url, #exchange_code, #generate_pkce, #oauth_connection, #poll_device_code, #refresh_token, #request_device_code, #revoke_token

Methods included from Helpers::Client

#connection, #gh_cli_token_output, #max_fallback_retries, #on_rate_limit, #on_scope_authorized, #on_scope_denied, #resolve_broker_app, #resolve_credential, #resolve_env, #resolve_gh_cli, #resolve_next_credential, #resolve_settings_app, #resolve_settings_delegated, #resolve_settings_pat, #resolve_vault_app, #resolve_vault_delegated, #resolve_vault_pat

Methods included from Helpers::ScopeRegistry

#credential_fingerprint, #invalidate_scope, #mark_rate_limited, #rate_limited?, #register_scope, #scope_status

Methods included from Helpers::TokenCache

#fetch_token, #mark_rate_limited, #rate_limited?, #store_token

Methods included from App::Runners::CredentialStore

#load_oauth_token, #store_app_credentials, #store_oauth_token

Methods included from App::Runners::Auth

#create_installation_token, #generate_jwt, #get_installation, #list_installations

Class Method Details

.remote_invocable?Boolean

Returns:

  • (Boolean) 


19
20
21
 
# File 'lib/legion/extensions/github/runners/auth.rb', line 19

def self.remote_invocable?
  false
end

Instance Method Details

#installationsObject 



95
96
97
98
 
# File 'lib/legion/extensions/github/runners/auth.rb', line 95

def installations(**)
  log.info('[lex-github] listing app installations')
  list_installations(**)
end

#login(client_id: nil, scopes: nil) ⇒ Object 



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'lib/legion/extensions/github/runners/auth.rb', line 49

def (client_id: nil, scopes: nil, **)
  cid = client_id || settings_client_id
  unless cid
    log.error('[lex-github] auth login: no client_id configured — set github.app.client_id in settings')
    return { error: 'missing_config', description: 'Set github.app.client_id in settings' }
  end

  log.info("[lex-github] auth login: starting OAuth flow with client_id=#{cid[0..7]}...")

  sc = scopes || settings_scopes
  browser = Helpers::BrowserAuth.new(client_id: cid, scopes: sc)
  result = browser.authenticate

  if result[:error]
    log.error("[lex-github] auth login failed: #{result[:error]}#{result[:description]}")
    return { result: nil, error: result[:error], description: result[:description] }
  end

  if result[:result]&.dig('access_token')
    user = begin
      current_user(token: result[:result]['access_token'])
    rescue StandardError => e
      log.warn("[lex-github] auth login: token obtained but /user lookup failed: #{e.message}")
      'default'
    end

    log.info("[lex-github] auth login: authenticated as #{user}")

    if respond_to?(:store_oauth_token, true)
      store_oauth_token(
        user:          user,
        access_token:  result[:result]['access_token'],
        refresh_token: result[:result]['refresh_token'],
        expires_in:    result[:result]['expires_in']
      )
      log.info("[lex-github] auth login: token stored for user=#{user}")
    else
      log.warn('[lex-github] auth login: store_oauth_token not available — token not persisted')
    end
  else
    log.warn('[lex-github] auth login: OAuth completed but no access_token in response')
  end

  result
end

#statusObject 



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/legion/extensions/github/runners/auth.rb', line 23

def status(**)
  cred = resolve_credential
  unless cred
    log.warn('[lex-github] auth status: no credential found across all sources')
    return { result: { authenticated: false } }
  end

  log.info("[lex-github] auth status: credential found via #{cred[:auth_type]}")

   = {}
  scopes = nil
  begin
    response = connection(token: cred[:token]).get('/user')
     = response.body || {}
    headers = response.respond_to?(:headers) ? response.headers : {}
    scopes_header = headers['X-OAuth-Scopes'] || headers['x-oauth-scopes']
    scopes = scopes_header&.split(',')&.map(&:strip)
    log.info("[lex-github] auth status: authenticated as #{['login']} (#{cred[:auth_type]})")
  rescue StandardError => e
    log.warn("[lex-github] auth status: credential found but /user request failed: #{e.message}")
  end

  { result: { authenticated: true, auth_type: cred[:auth_type],
              user: ['login'], scopes: scopes } }
end