Harden GitHub auth context and cancel abandoned requests (#71)

- Catch uncaught token refresh errors in getGitHubAppUserInstallations
  and getGitHubUserContextForOwner so a failed refresh falls back to the
  OAuth client instead of crashing the Worker
- Eagerly verify installation auth in getGitHubContextForOwner since
  @octokit/auth-app authenticates lazily and the existing try/catch
  could never catch auth failures
- Skip suspended GitHub App installations
- Cache resolved GitHub contexts per-request (WeakMap<Request>) so
  parallel server functions reuse one session/installation lookup
- Propagate the incoming HTTP request abort signal to GitHub API calls
  via AbortSignal.any so navigating away cancels in-flight work
- Add debug() logging to the auth and context resolution flow

Author: stylessh

apps/dashboard/src/lib/github-app.server.ts

@@ -3,6 +3,7 @@ import { env } from "cloudflare:workers";
 import { and, eq } from "drizzle-orm";
 import { getDb } from "../db";
 import { account } from "../db/schema";
+import { debug } from "./debug";
 import { normalizeGitHubAppPrivateKey } from "./github-private-key";
 import { GITHUB_REQUEST_TIMEOUT_MS } from "./github-request-policy";
 
@@ -196,19 +197,25 @@ async function refreshGitHubAppUserToken({
 	userId: string;
 }) {
 	const githubApp = getGitHubAppAuthConfig();
-	const payload = await requestGitHubAppUserToken({
-		client_id: githubApp.clientId,
-		client_secret: githubApp.clientSecret,
-		grant_type: "refresh_token",
-		refresh_token: refreshToken,
-	});
-
-	await saveGitHubAppUserToken({
-		userId,
-		payload,
-	});
-
-	return payload.access_token;
+	try {
+		const payload = await requestGitHubAppUserToken({
+			client_id: githubApp.clientId,
+			client_secret: githubApp.clientSecret,
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+		});
+
+		await saveGitHubAppUserToken({
+			userId,
+			payload,
+		});
+
+		debug("github-auth", "app user token refreshed", { userId });
+		return payload.access_token;
+	} catch (error) {
+		console.error("[github-auth] app user token refresh failed", userId, error);
+		throw error;
+	}
 }
 
 async function saveGitHubAppUserToken({
@@ -258,20 +265,29 @@ async function saveGitHubAppUserToken({
 export async function getGitHubAppUserAccessTokenByUserId(userId: string) {
 	const githubAccount = await getGitHubAppUserAccountByUserId(userId);
 	if (!githubAccount?.accessToken) {
+		debug("github-auth", "no app user account", { userId });
 		return null;
 	}
 
 	if (isUsableAccessTokenExpiresAt(githubAccount.accessTokenExpiresAt)) {
+		debug("github-auth", "app user token is fresh", { userId });
 		return githubAccount.accessToken;
 	}
 
 	if (
 		!githubAccount.refreshToken ||
 		!isUsableAccessTokenExpiresAt(githubAccount.refreshTokenExpiresAt)
 	) {
+		debug("github-auth", "app user token expired, refresh unavailable", {
+			userId,
+			hasRefreshToken: Boolean(githubAccount.refreshToken),
+			refreshTokenExpiresAt:
+				githubAccount.refreshTokenExpiresAt?.toISOString() ?? null,
+		});
 		return null;
 	}
 
+	debug("github-auth", "app user token expired, refreshing", { userId });
 	return refreshGitHubAppUserToken({
 		refreshToken: githubAccount.refreshToken,
 		userId,

apps/dashboard/src/lib/github-request-policy.ts

@@ -1,3 +1,4 @@
+import { getRequest } from "@tanstack/react-start/server";
 import type { Octokit as OctokitType } from "octokit";
 
 const GITHUB_READ_RETRY_COUNT = 1;
@@ -19,8 +20,28 @@ function isSafeGitHubRetryMethod(method: string | undefined) {
 	return method === "GET" || method === "HEAD" || method === "OPTIONS";
 }
 
-function createGitHubRequestTimeoutSignal() {
-	return AbortSignal.timeout(GITHUB_REQUEST_TIMEOUT_MS);
+function createGitHubRequestTimeoutSignal(
+	requestSignal: AbortSignal | undefined,
+) {
+	const timeoutSignal = AbortSignal.timeout(GITHUB_REQUEST_TIMEOUT_MS);
+	if (!requestSignal) {
+		return timeoutSignal;
+	}
+
+	return AbortSignal.any([requestSignal, timeoutSignal]);
+}
+
+/**
+ * Returns the incoming HTTP request's abort signal when available.
+ * When the client navigates away the signal fires, letting us cancel
+ * in-flight GitHub requests instead of running them to completion.
+ */
+function getIncomingRequestSignal(): AbortSignal | undefined {
+	try {
+		return getRequest().signal;
+	} catch {
+		return undefined;
+	}
 }
 
 export function configureGitHubRequestPolicies(octokit: OctokitType) {
@@ -30,6 +51,8 @@ export function configureGitHubRequestPolicies(octokit: OctokitType) {
 		requestOptions.retries = isSafeGitHubRetryMethod(options.method)
 			? GITHUB_READ_RETRY_COUNT
 			: 0;
-		requestOptions.signal ??= createGitHubRequestTimeoutSignal();
+		requestOptions.signal ??= createGitHubRequestTimeoutSignal(
+			getIncomingRequestSignal(),
+		);
 	});
 }