Merge pull request #1069 from Molecule-AI/fix/github-token-refresh-1068

fix: GitHub token refresh — WorkspaceAuth path for credential helper (#1068)
2026-04-20 08:37:46 -07:00 · 2026-04-20 08:37:46 -07:00 · 24a75954ff
commit 24a75954ff
parent 95181c890d d8a2855c25
3 changed files with 16 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -117,6 +117,8 @@ backups/

 # Cloned-via-manifest dirs — populated locally by scripts/clone-manifest.sh,
 # tracked in their own standalone repos. Never commit to core.
+# org-templates live in Molecule-AI/molecule-ai-org-template-* repos.
+# plugins live in Molecule-AI/molecule-ai-plugin-* repos.
 /org-templates/
 /plugins/
 /workspace-configs-templates/
--- a/workspace-server/internal/router/router.go
+++ b/workspace-server/internal/router/router.go
@ -376,7 +376,13 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 	// (dev / self-hosted without GITHUB_APP_ID).
 	{
 		ghTokH := handlers.NewGitHubTokenHandler(wh.TokenRegistry())
+		// #1068: moved from AdminAuth to allow any authenticated workspace to
+		// refresh its GitHub token. The credential helper in containers calls
+		// this endpoint with a workspace bearer token — AdminAuth (PR #729)
+		// rejects those, breaking token refresh after 60 min.
+		// Keep the old path as an alias for backward compat.
 		r.GET("/admin/github-installation-token", middleware.AdminAuth(db.DB), ghTokH.GetInstallationToken)
+		wsAuth.GET("/github-installation-token", ghTokH.GetInstallationToken)
 	}

 	// Terminal — shares Docker client with provisioner
--- a/workspace/scripts/molecule-git-token-helper.sh
+++ b/workspace/scripts/molecule-git-token-helper.sh
@ -53,7 +53,14 @@ set -euo pipefail
 PLATFORM_URL="${PLATFORM_URL:-http://platform:8080}"
 CONFIGS_DIR="${CONFIGS_DIR:-/configs}"
 TOKEN_FILE="${CONFIGS_DIR}/.auth_token"
-ENDPOINT="${PLATFORM_URL}/admin/github-installation-token"
+# #1068: use workspace-scoped path (WorkspaceAuth) instead of admin path
+# (AdminAuth rejects workspace bearer tokens since PR #729).
+WORKSPACE_ID="${WORKSPACE_ID:-}"
+if [ -n "$WORKSPACE_ID" ]; then
+    ENDPOINT="${PLATFORM_URL}/workspaces/${WORKSPACE_ID}/github-installation-token"
+else
+    ENDPOINT="${PLATFORM_URL}/admin/github-installation-token"
+fi

 # _fetch_token — internal helper; also callable directly from cron.
 # Outputs the raw token string on success; exits non-zero on failure.