From b1bb5f838ab43ad4b8c9a609656bd4cd725481ef Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Mon, 20 Apr 2026 08:30:02 -0700 Subject: [PATCH] =?UTF-8?q?fix:=20GitHub=20token=20refresh=20=E2=80=94=20a?= =?UTF-8?q?dd=20WorkspaceAuth=20path=20for=20credential=20helper=20(#1068)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #729 tightened AdminAuth to require ADMIN_TOKEN, breaking the workspace credential helper which called /admin/github-installation-token with a workspace bearer token. Tokens expired after 60 min with no refresh. Fix: Add /workspaces/:id/github-installation-token under WorkspaceAuth so any authenticated workspace can refresh its GitHub token. Keep the admin path as backward-compatible alias. Update molecule-git-token-helper.sh to use the workspace-scoped path when WORKSPACE_ID is set. Co-Authored-By: Claude Opus 4.6 (1M context) --- workspace-server/internal/router/router.go | 6 ++++++ workspace/scripts/molecule-git-token-helper.sh | 9 ++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/workspace-server/internal/router/router.go b/workspace-server/internal/router/router.go index 4b6e8aeb..c636bf87 100644 --- a/workspace-server/internal/router/router.go +++ b/workspace-server/internal/router/router.go @@ -376,7 +376,13 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi // (dev / self-hosted without GITHUB_APP_ID). { ghTokH := handlers.NewGitHubTokenHandler(wh.TokenRegistry()) + // #1068: moved from AdminAuth to allow any authenticated workspace to + // refresh its GitHub token. The credential helper in containers calls + // this endpoint with a workspace bearer token — AdminAuth (PR #729) + // rejects those, breaking token refresh after 60 min. + // Keep the old path as an alias for backward compat. r.GET("/admin/github-installation-token", middleware.AdminAuth(db.DB), ghTokH.GetInstallationToken) + wsAuth.GET("/github-installation-token", ghTokH.GetInstallationToken) } // Terminal — shares Docker client with provisioner diff --git a/workspace/scripts/molecule-git-token-helper.sh b/workspace/scripts/molecule-git-token-helper.sh index e2a519a4..4b7a8cca 100755 --- a/workspace/scripts/molecule-git-token-helper.sh +++ b/workspace/scripts/molecule-git-token-helper.sh @@ -53,7 +53,14 @@ set -euo pipefail PLATFORM_URL="${PLATFORM_URL:-http://platform:8080}" CONFIGS_DIR="${CONFIGS_DIR:-/configs}" TOKEN_FILE="${CONFIGS_DIR}/.auth_token" -ENDPOINT="${PLATFORM_URL}/admin/github-installation-token" +# #1068: use workspace-scoped path (WorkspaceAuth) instead of admin path +# (AdminAuth rejects workspace bearer tokens since PR #729). +WORKSPACE_ID="${WORKSPACE_ID:-}" +if [ -n "$WORKSPACE_ID" ]; then + ENDPOINT="${PLATFORM_URL}/workspaces/${WORKSPACE_ID}/github-installation-token" +else + ENDPOINT="${PLATFORM_URL}/admin/github-installation-token" +fi # _fetch_token — internal helper; also callable directly from cron. # Outputs the raw token string on success; exits non-zero on failure.