add go backend

Author: tstromberg

README.md

@@ -1,75 +1,82 @@
 # GitHub PR Dashboard
 
-A lightweight, fast dashboard for viewing GitHub pull requests. Built with plain HTML, CSS, and JavaScript for maximum performance and simplicity.
+A lightweight, fast dashboard for viewing GitHub pull requests. Can be served statically or via the included secure Go server with OAuth support.
 
 ## Features
 
-- **Real GitHub Integration**: Login with GitHub OAuth to view your actual pull requests
-- **Smart Categorization**: Automatically groups PRs into Incoming (for review), Outgoing (authored by you), and Drafts
-- **Visual Status Indicators**: Color-coded cards and badges show PR status at a glance
-- **Activity Sparklines**: See PR activity trends for each section
-- **Organization Filtering**: Filter PRs by GitHub organization
+- **Real GitHub Integration**: Login with GitHub OAuth or Personal Access Token
+- **Smart Categorization**: Automatically groups PRs into Incoming, Outgoing, and Drafts
+- **Visual Status Indicators**: Color-coded cards show PR status at a glance
+- **Security Hardened Go Server**: Optional server with comprehensive security features
 - **Demo Mode**: Try the interface with sample data before logging in
-- **URL-based User Switching**: View other users' PRs by adding `?user=username` to the URL
 
 ## Quick Start
 
-1. Open `index.html` in a web browser
-2. Click "Try Demo Mode" to see the interface with sample data, or
-3. Login with GitHub to view your real pull requests
-
-## Status Indicators
+### Static Files (Simple)
+```bash
+# Just open in browser
+open index.html
+```
 
-- 🔴 **Blocked on you**: PRs requiring your immediate attention
-- 🟡 **Stale**: PRs older than 30 days
-- 🟢 **Ready to merge**: PRs approved and ready for merging
-- 🟠 **Merge conflicts**: PRs with conflicts that need resolution
-- ⚪ **Draft**: Work-in-progress pull requests
+### Go Server (OAuth + Security)
+```bash
+go build
+# Client ID defaults to Iv23liYmAKkBpvhHAnQQ
+./dashboard --port=8080 --client-secret=YOUR_SECRET
+```
 
-## GitHub OAuth Setup
+## Go Server Features
+
+### Security
+- **CSRF Protection**: Secure state validation
+- **Rate Limiting**: 10 req/min per IP on OAuth endpoints  
+- **Security Headers**: CSP, X-Frame-Options, HSTS, etc.
+- **Request Tracking**: Unique IDs and security event logging
+- **Origin Validation**: Configurable CORS with `--allowed-origins`
+
+### Configuration
+```bash
+# Environment variables
+PORT=8080 GITHUB_CLIENT_ID=xxx GITHUB_CLIENT_SECRET=yyy ./dashboard
+
+# Command line flags
+# Defaults: client-id=Iv23liYmAKkBpvhHAnQQ, redirect-uri=https://dash.ready-to-review.dev/oauth/callback
+./dashboard \
+  --port=8080 \
+  --client-secret=yyy \
+  --redirect-uri=http://localhost:8080/oauth/callback \
+  --allowed-origins=http://localhost:8080
+```
 
-See [README_OAUTH.md](README_OAUTH.md) for instructions on setting up GitHub OAuth authentication.
+### Endpoints
+- `GET /` - Dashboard
+- `GET /health` - Health check  
+- `GET /oauth/login` - Start OAuth flow
+- `GET /oauth/callback` - OAuth callback
 
-## URL Parameters
+## GitHub OAuth Setup
 
-- `?demo=true` - Launch in demo mode with sample data
-- `?user=username` - View a specific GitHub user's pull requests (requires authentication)
+1. Create OAuth App at GitHub Settings > Developer settings > OAuth Apps
+2. Set callback URL to `https://dash.ready-to-review.dev/oauth/callback` (or your custom URL)
+3. Use the client secret with the Go server (client ID defaults to Iv23liYmAKkBpvhHAnQQ)
 
-## Technical Details
+## Security Best Practices
 
-- **Zero Dependencies**: Pure HTML, CSS, and JavaScript (except for demo data)
-- **Responsive Design**: Works on desktop and mobile devices
-- **Accessible**: ARIA labels and semantic HTML for screen readers
-- **Fast**: Minimal JavaScript, efficient DOM updates
-- **Clean Code**: Well-organized, commented code following best practices
+When using the Go server:
+- **Always use HTTPS in production** - Enables HSTS automatically
+- **Set allowed origins** - Use `--allowed-origins` for your domains
+- **Monitor logs** - Watch for `[SECURITY]` tagged events
+- **Keep updated** - Regular updates for security patches
 
 ## File Structure
 
 ```
-├── index.html           # Main application HTML
-├── assets/
-│   ├── app.js          # Application JavaScript
-│   ├── styles.css      # Application styles
-│   └── demo-data.js    # Demo mode sample data
-└── README_OAUTH.md     # OAuth setup instructions
+├── index.html       # Dashboard UI
+├── main.go          # Secure Go server
+├── assets/          # CSS, JS, demo data  
+└── go.mod           # Go module file
 ```
 
-## Browser Support
-
-- Chrome/Edge (latest)
-- Firefox (latest)
-- Safari (latest)
-- Mobile browsers (iOS Safari, Chrome)
-
-## Contributing
-
-This is a simple, focused application. If you'd like to contribute:
-
-1. Keep it simple - no frameworks or build tools
-2. Maintain backward compatibility
-3. Test on multiple browsers
-4. Follow the existing code style
-
 ## License
 
 MIT

README_OAUTH.md

@@ -665,8 +665,17 @@ const App = (() => {
 
   // Auth Functions
   const initiateOAuthLogin = () => {
-    const authUrl = `https://github.com/login/oauth/authorize?client_id=${CONFIG.CLIENT_ID}&redirect_uri=${encodeURIComponent(CONFIG.OAUTH_REDIRECT_URI)}&scope=repo%20read:org`;
-    window.location.href = authUrl;
+    // Use the Go backend's OAuth endpoint
+    const authWindow = window.open('/oauth/login', 'github-oauth', 'width=600,height=700');
+    
+    // Listen for OAuth callback
+    window.addEventListener('message', async (event) => {
+      if (event.data && event.data.type === 'oauth-callback' && event.data.token) {
+        storeToken(event.data.token);
+        authWindow.close();
+        await initialize();
+      }
+    });
   };
 
   const initiatePATLogin = () => {
@@ -708,17 +717,8 @@ const App = (() => {
   };
 
   const handleOAuthCallback = async () => {
-    const urlParams = new URLSearchParams(window.location.search);
-    const code = urlParams.get('code');
-    
-    if (code) {
-      // In a real implementation, you'd exchange this code for a token
-      // via your backend server. For now, we'll show an error message.
-      showToast('OAuth authentication requires a backend server. Please use Personal Access Token instead.', 'warning');
-      // Clean up URL
-      window.history.replaceState({}, document.title, window.location.pathname);
-      showLoginPrompt();
-    }
+    // OAuth is now handled via popup window and postMessage
+    // This function is kept for backwards compatibility but does nothing
   };
 
   const initiateLogin = () => {

assets/app.js

@@ -0,0 +1,3 @@
+module github.com/r2r/dashboard
+
+go 1.21

go.mod

@@ -0,0 +1,5 @@
+#!/bin/sh
+PROJECT="ready-to-review"
+export KO_DOCKER_REPO="gcr.io/${PROJECT}/dashboard"
+
+gcloud run deploy dashboard --image="$(ko publish .)" --region us-central1 --project "${PROJECT}"