Merge pull request #16 from bbrowning/narrow-github-pat

bbrowning · web-flow · commit e990bd7c854e · 2026-04-03T17:02:18.000-04:00
Narrow GitHub PAT injection to api.github.com only
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -93,8 +93,7 @@ The default credential routing is defined in `internal/credentials/credentials.j
 | `*.anthropic.com` | `x-api-key: <key>` | `ANTHROPIC_API_KEY` |
 | `*.openai.com` | `Authorization: Bearer <key>` | `OPENAI_API_KEY` |
 | `*.cursor.com`, `*.cursorapi.com` | `Authorization: Bearer <key>` | `CURSOR_API_KEY` |
-| `github.com`, `api.github.com` | `Authorization: Bearer <pat>` | `GH_TOKEN` |
-| `*.githubusercontent.com` | `Authorization: Bearer <pat>` | `GH_TOKEN` |
+| `api.github.com` | `Authorization: Bearer <pat>` | `GH_TOKEN` |
 | `*.googleapis.com` | `Authorization: Bearer <token>` | gcloud ADC (auto-refresh) |
 
 ## Client Compatibility
diff --git a/internal/credentials/config_test.go b/internal/credentials/config_test.go
@@ -232,35 +232,40 @@ func TestBuildFromConfig_GitHubBearer(t *testing.T) {
 			{
 				EnvVar:       "TEST_GH_TOKEN",
 				InjectorType: "bearer",
-				Domains:      []string{"github.com", "api.github.com", ".githubusercontent.com"},
+				Domains:      []string{"api.github.com"},
 			},
 		},
 	}
 
 	store, _, _ := BuildFromConfig(cfg)
 
-	// Test exact domain match
 	req := &http.Request{
-		URL:    &url.URL{Host: "github.com"},
+		URL:    &url.URL{Host: "api.github.com"},
 		Header: make(http.Header),
 	}
 	if matched, injected := store.InjectCredentials(req); !matched || !injected {
-		t.Error("should match github.com")
+		t.Error("should match api.github.com")
 	}
 	if got := req.Header.Get("Authorization"); got != "Bearer ghp_test" {
 		t.Errorf("Authorization = %q, want %q", got, "Bearer ghp_test")
 	}
 
-	// Test suffix domain match
+	// github.com should NOT match (no PAT for git clone of public repos)
 	req2 := &http.Request{
-		URL:    &url.URL{Host: "raw.githubusercontent.com"},
+		URL:    &url.URL{Host: "github.com"},
 		Header: make(http.Header),
 	}
-	if matched, injected := store.InjectCredentials(req2); !matched || !injected {
-		t.Error("should match raw.githubusercontent.com")
+	if matched, _ := store.InjectCredentials(req2); matched {
+		t.Error("should not match github.com")
 	}
-	if got := req2.Header.Get("Authorization"); got != "Bearer ghp_test" {
-		t.Errorf("Authorization = %q, want %q", got, "Bearer ghp_test")
+
+	// raw.githubusercontent.com should NOT match
+	req3 := &http.Request{
+		URL:    &url.URL{Host: "raw.githubusercontent.com"},
+		Header: make(http.Header),
+	}
+	if matched, _ := store.InjectCredentials(req3); matched {
+		t.Error("should not match raw.githubusercontent.com")
 	}
 }
 
diff --git a/internal/credentials/credentials.json b/internal/credentials/credentials.json
@@ -21,7 +21,7 @@
     {
       "env_var": "GH_TOKEN",
       "injector": "bearer",
-      "domains": ["github.com", "api.github.com", ".githubusercontent.com"]
+      "domains": ["api.github.com"]
     },
     {
       "env_var": "GOOGLE_APPLICATION_CREDENTIALS",

Original file line number	Diff line number	Diff line change
`@@ -232,35 +232,40 @@ func TestBuildFromConfig_GitHubBearer(t *testing.T) {`
`232`	`232`	`{`
`233`	`233`	`EnvVar: "TEST_GH_TOKEN",`
`234`	`234`	`InjectorType: "bearer",`
`235`		`- Domains: []string{"github.com", "api.github.com", ".githubusercontent.com"},`
	`235`	`+ Domains: []string{"api.github.com"},`
`236`	`236`	`},`
`237`	`237`	`},`
`238`	`238`	`}`
`239`	`239`
`240`	`240`	`store, _, _ := BuildFromConfig(cfg)`
`241`	`241`
`242`		`- // Test exact domain match`
`243`	`242`	`req := &http.Request{`
`244`		`- URL: &url.URL{Host: "github.com"},`
	`243`	`+ URL: &url.URL{Host: "api.github.com"},`
`245`	`244`	`Header: make(http.Header),`
`246`	`245`	`}`
`247`	`246`	`if matched, injected := store.InjectCredentials(req); !matched \|\| !injected {`
`248`		`- t.Error("should match github.com")`
	`247`	`+ t.Error("should match api.github.com")`
`249`	`248`	`}`
`250`	`249`	`if got := req.Header.Get("Authorization"); got != "Bearer ghp_test" {`
`251`	`250`	`t.Errorf("Authorization = %q, want %q", got, "Bearer ghp_test")`
`252`	`251`	`}`
`253`	`252`
`254`		`- // Test suffix domain match`
	`253`	`+ // github.com should NOT match (no PAT for git clone of public repos)`
`255`	`254`	`req2 := &http.Request{`
`256`		`- URL: &url.URL{Host: "raw.githubusercontent.com"},`
	`255`	`+ URL: &url.URL{Host: "github.com"},`
`257`	`256`	`Header: make(http.Header),`
`258`	`257`	`}`
`259`		`- if matched, injected := store.InjectCredentials(req2); !matched \|\| !injected {`
`260`		`- t.Error("should match raw.githubusercontent.com")`
	`258`	`+ if matched, _ := store.InjectCredentials(req2); matched {`
	`259`	`+ t.Error("should not match github.com")`
`261`	`260`	`}`
`262`		`- if got := req2.Header.Get("Authorization"); got != "Bearer ghp_test" {`
`263`		`- t.Errorf("Authorization = %q, want %q", got, "Bearer ghp_test")`
	`261`	`+`
	`262`	`+ // raw.githubusercontent.com should NOT match`
	`263`	`+ req3 := &http.Request{`
	`264`	`+ URL: &url.URL{Host: "raw.githubusercontent.com"},`
	`265`	`+ Header: make(http.Header),`
	`266`	`+ }`
	`267`	`+ if matched, _ := store.InjectCredentials(req3); matched {`
	`268`	`+ t.Error("should not match raw.githubusercontent.com")`
`264`	`269`	`}`
`265`	`270`	`}`
`266`	`271`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@`
`21`	`21`	`{`
`22`	`22`	`"env_var": "GH_TOKEN",`
`23`	`23`	`"injector": "bearer",`
`24`		`- "domains": ["github.com", "api.github.com", ".githubusercontent.com"]`
	`24`	`+ "domains": ["api.github.com"]`
`25`	`25`	`},`
`26`	`26`	`{`
`27`	`27`	`"env_var": "GOOGLE_APPLICATION_CREDENTIALS",`