Detect stale GitHub App auth and send users to /setup#155
Merged
Conversation
Verify the app user token with GET /user/installations during setup checks. Normalize installation-token mint failures and common OAuth errors so the error screen can offer /setup. Clear the protected-route auth cache when visiting setup or choosing Review GitHub access.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughDetects GitHub App credential/authorization failures and introduces reauthorization flow: new error-classification helpers, server-side checks that map such errors to a reauth signal, a protected-route auth cache API, and UI to prompt and initiate GitHub App reauthorization. Changes
Sequence Diagram(s)sequenceDiagram
participant Client as Client
participant UI as Dashboard Error Screen
participant Setup as Setup Route
participant Server as Server Functions
participant GitHub as GitHub API
Client->>Server: Request protected resource
Server->>GitHub: GitHub App call (e.g., GET /user/installations)
GitHub-->>Server: 401/403/422 or credential error
Server->>Server: shouldReauthorizeGitHubApp(error)
alt reauth required
Server-->>Client: Response indicating reauth required
Client->>UI: Render reauthorize-github-app action
Client->>UI: Click "Reauthorize" button
UI->>UI: clearProtectedRouteCachedAuth()
UI->>Setup: Navigate to /setup
Setup->>Server: checkSetupComplete()
Server->>GitHub: Verify App user install (GET /user/installations)
GitHub-->>Server: Success
Server-->>Setup: Setup complete
else not reauth
Server-->>Client: Propagate original error
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
diffkit | 8a62da5 | Apr 18 2026, 03:18 PM |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
apps/dashboard/src/components/layouts/dashboard-error-screen.tsx (1)
45-73:⚠️ Potential issue | 🟠 MajorReauth detection is narrower than canonical auth-error logic.
Line 45 only checks
"bad credentials", docs URL, and401. It misses 403/422 reauthorization signals handled byapps/dashboard/src/lib/github-auth-errors.ts(e.g., suspended/new-permissions/pending-permission cases), so these can be misclassified as"configure-access"at Line 60.🔧 Suggested alignment patch
if ( lower.includes("bad credentials") || lower.includes("docs.github.com/rest") || - /\b401\b/.test(lower) + /\b401\b/.test(lower) || + ( + (lower.includes("403") || lower.includes("forbidden")) && + !lower.includes("not accessible by integration") && + ( + lower.includes("suspended") || + lower.includes("new permissions") || + lower.includes("additional permissions") || + lower.includes("must be granted") || + (lower.includes("permission") && lower.includes("pending")) + ) + ) || + ( + /\b422\b/.test(lower) && + lower.includes("installation") && + (lower.includes("suspend") || lower.includes("permission")) + ) ) {🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@apps/dashboard/src/components/layouts/dashboard-error-screen.tsx` around lines 45 - 73, The current reauth detection in dashboard-error-screen.tsx uses ad-hoc checks (lower.includes("bad credentials"), docs URL, /\b401\b/) which misses other canonical reauth signals (403/422, suspended/new-permissions/pending-permission) handled in apps/dashboard/src/lib/github-auth-errors.ts; replace the manual checks with the shared helper from that module (import the exported function that detects reauth cases—e.g., isReauthError or the classifier exported by github-auth-errors.ts) and use it to decide between returning the LockIcon block with action "reauthorize-github-app" and the existing "configure-access" block, so LockIcon/ title/ description/ action remain the same but detection is aligned with the canonical logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/dashboard/src/lib/protected-auth-cache.ts`:
- Around line 21-35: The module-level cache (cachedAuth) is being read/written
during SSR and can leak across requests; wrap all reads and writes so they only
run in the browser by guarding with typeof window !== "undefined": make
getProtectedRouteCachedAuth() return null when window is undefined, make
setProtectedRouteCachedAuth(next) a no-op server-side, and make
clearProtectedRouteCachedAuth() a no-op server-side; keep the existing
cachedAuth variable and function names (cachedAuth, getProtectedRouteCachedAuth,
setProtectedRouteCachedAuth, clearProtectedRouteCachedAuth) so the fixes are
scoped to those symbols.
---
Outside diff comments:
In `@apps/dashboard/src/components/layouts/dashboard-error-screen.tsx`:
- Around line 45-73: The current reauth detection in dashboard-error-screen.tsx
uses ad-hoc checks (lower.includes("bad credentials"), docs URL, /\b401\b/)
which misses other canonical reauth signals (403/422,
suspended/new-permissions/pending-permission) handled in
apps/dashboard/src/lib/github-auth-errors.ts; replace the manual checks with the
shared helper from that module (import the exported function that detects reauth
cases—e.g., isReauthError or the classifier exported by github-auth-errors.ts)
and use it to decide between returning the LockIcon block with action
"reauthorize-github-app" and the existing "configure-access" block, so LockIcon/
title/ description/ action remain the same but detection is aligned with the
canonical logic.
🪄 Autofix (Beta)
✅ Autofix completed
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 516c41c5-b81c-4553-a136-73ffd20a027c
📒 Files selected for processing (7)
apps/dashboard/src/components/layouts/dashboard-error-screen.tsxapps/dashboard/src/lib/github-auth-errors.tsapps/dashboard/src/lib/github.functions.tsapps/dashboard/src/lib/github.server.tsapps/dashboard/src/lib/protected-auth-cache.tsapps/dashboard/src/routes/_protected.tsxapps/dashboard/src/routes/setup.tsx
Contributor
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Fixes Applied SuccessfullyFixed 1 file(s) based on 1 unresolved review comment. Files modified:
Commit: The changes have been pushed to the Time taken: |
Fixed 1 file(s) based on 1 unresolved review comment. Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When GitHub rejects the app user token (for example after permission or credential changes),
checkSetupCompletenow fails a liveGET /user/installationscheck so protected routes redirect to/setupinstead of assuming the DB row is enough.Installation access token mint errors that indicate re-authorization are surfaced as the same
Bad credentialspattern so the error screen can offer Review GitHub access (links to/setupand clears the in-memory protected-route cache). Visiting/setupalso clears that cache so returning to the dashboard re-runs the setup check.Keeps the existing configure access path for
Resource not accessible by integrationstyle 403s.Summary by CodeRabbit
New Features
Bug Fixes