fix: token checker

Author: FedoseevSM

.env.example

@@ -1,11 +1,11 @@
 # Environment Variables Configuration
 # Copy this file to .env and fill in your values
 
-# GitHub Personal Access Token
+# GitHub token (Personal Access Token or fine-grained token)
 # Create a token at: https://github.com/settings/tokens
-# Required permissions: repo (full control of private repositories)
+# Required permissions: repo or repository contents access for the target repository
 # WARNING: Never commit this file or expose the token publicly!
-VITE_API_KEY=your_github_personal_access_token_here
+VITE_API_KEY=your_github_access_token_here
 
 # Security Notes:
 # - Keep this token secure and never share it

README.md

@@ -36,7 +36,7 @@ For more details about bundle analysis and performance monitoring, see [BUNDLE_I
 This application implements several security measures to protect sensitive data:
 
 ### API Token Security
-- ✅ GitHub Personal Access Tokens are stored in environment variables only
+- ✅ GitHub access tokens (Personal Access or fine-grained tokens) are stored in environment variables only
 - ✅ **Service Worker Protection**: Tokens are stored in IndexedDB and injected by service worker
 - ✅ **Network Tab Security**: Authorization headers are not visible in DevTools Network tab
 - ✅ Tokens are never logged in console output or error messages
@@ -67,7 +67,7 @@ cp .env.example .env
 ```
 
 **Required environment variables:**
-- `VITE_API_KEY`: GitHub Personal Access Token with `repo` scope
+- `VITE_API_KEY`: GitHub Personal Access Token or fine-grained token with repository access (`repo` or `contents` permissions)
 
 **Security best practices:**
 - Never commit `.env` files to version control

SERVICE_WORKER_SECURITY.md

@@ -6,7 +6,7 @@ This implementation uses a Service Worker to securely handle GitHub API authenti
 ## Architecture
 
 ### 1. Token Storage
-- GitHub Personal Access Token is stored in IndexedDB within the Service Worker context
+- GitHub access tokens (Personal Access or fine-grained tokens) are stored in IndexedDB within the Service Worker context
 - Token is never accessible from the main application thread after initial setup
 - Token is encrypted at rest using browser's IndexedDB security
 

src/lib/apiErrorHandler.ts

@@ -35,13 +35,15 @@ function isRateLimitError(error: any): boolean {
     'rate limit',
     'api rate limit',
     'too many requests',
-    '403 forbidden', // GitHub returns 403 for rate limits
     'secondary rate limit',
     'exceeded',
     'limit exceeded'
   ];
 
-  return rateLimitPatterns.some(pattern => message.includes(pattern));
+  return (
+    error.status === 429 ||
+    rateLimitPatterns.some(pattern => message.includes(pattern))
+  );
 }
 
 // Export for use in components

src/lib/github.ts

@@ -36,6 +36,19 @@ async function createGitHubError(res: Response): Promise<Error> {
     // ignore parse errors
   }
 
+  if (res.status === 403 && detail) {
+    const normalized = detail.toLowerCase();
+    if (/rate limit|secondary rate limit|exceeded|too many requests/.test(normalized)) {
+      // Keep GitHub rate limit message as-is for user clarity
+    } else if (/resource not accessible|permission|access denied|forbidden|repository access/.test(normalized)) {
+      detail = 'The provided GitHub token does not have permission to access this repository. Use a GitHub fine-grained token with repository access or a PAT with repo/content permissions.';
+    }
+  }
+
+  if (res.status === 401 && !detail) {
+    detail = 'Invalid or missing GitHub token. Check your VITE_API_KEY and token permissions.';
+  }
+
   const message = detail
     ? `GitHub API error: ${res.status} ${statusText} - ${detail}`
     : `GitHub API error: ${res.status} ${statusText}`;