feat(proxy): resolve push identity from token via SCM provider API (#1400)

coopernetes · coopernetes · commit 4b145443b7c1 · 2026-06-19T18:05:47.000-04:00
parsePush incorrectly uses the last commit's committer as the push user.
This adds a new chain processor that extracts the token from HTTP Basic
auth, calls the SCM provider's user API (GitHub GET /user for now), and
maps the SCM login to a git-proxy user via the gitAccount field.

- TokenIdentityProvider interface with hostname-based dispatch
- GitHubTokenIdentityProvider calling api.github.com/user
- resolveUserFromToken chain processor (non-blocking on failure)
- findUserByGitAccount DB lookup (file + mongo)
- GET/PUT /api/v1/user/:username/git-account endpoints
diff --git a/src/db/file/index.ts b/src/db/file/index.ts
@@ -39,6 +39,7 @@ export const {
 export const {
   findUser,
   findUserByEmail,
+  findUserByGitAccount,
   findUserByOIDC,
   findUserBySSHKey,
   getUsers,
diff --git a/src/db/file/users.ts b/src/db/file/users.ts
@@ -92,6 +92,19 @@ export const findUserByEmail = (email: string): Promise<User | null> => {
   });
 };
 
+export const findUserByGitAccount = (gitAccount: string): Promise<User | null> => {
+  return new Promise<User | null>((resolve, reject) => {
+    db.findOne({ gitAccount: gitAccount.toLowerCase() }, (err: Error | null, doc: User) => {
+      /* istanbul ignore if */
+      if (err) {
+        reject(err);
+      } else {
+        resolve(doc ?? null);
+      }
+    });
+  });
+};
+
 export const findUserByOIDC = function (oidcId: string): Promise<User | null> {
   return new Promise<User | null>((resolve, reject) => {
     db.findOne({ oidcId: oidcId }, (err: Error | null, doc: User) => {
diff --git a/src/db/index.ts b/src/db/index.ts
@@ -204,6 +204,8 @@ export const deleteRepo = (_id: string): Promise<void> => start().deleteRepo(_id
 export const findUser = (username: string): Promise<User | null> => start().findUser(username);
 export const findUserByEmail = (email: string): Promise<User | null> =>
   start().findUserByEmail(email);
+export const findUserByGitAccount = (gitAccount: string): Promise<User | null> =>
+  start().findUserByGitAccount(gitAccount);
 export const findUserByOIDC = (oidcId: string): Promise<User | null> =>
   start().findUserByOIDC(oidcId);
 export const findUserBySSHKey = (sshKey: string): Promise<User | null> =>
diff --git a/src/db/mongo/index.ts b/src/db/mongo/index.ts
@@ -39,6 +39,7 @@ export const {
 export const {
   findUser,
   findUserByEmail,
+  findUserByGitAccount,
   findUserByOIDC,
   findUserBySSHKey,
   getUsers,
diff --git a/src/db/mongo/users.ts b/src/db/mongo/users.ts
@@ -34,6 +34,12 @@ export const findUserByEmail = async function (email: string): Promise<User | nu
   return doc ? toClass(doc, User.prototype) : null;
 };
 
+export const findUserByGitAccount = async function (gitAccount: string): Promise<User | null> {
+  const collection = await connect(collectionName);
+  const doc = await collection.findOne({ gitAccount: { $eq: gitAccount.toLowerCase() } });
+  return doc ? toClass(doc, User.prototype) : null;
+};
+
 export const findUserByOIDC = async function (oidcId: string): Promise<User | null> {
   const collection = await connect(collectionName);
   const doc = await collection.findOne({ oidcId: { $eq: oidcId } });
diff --git a/src/db/types.ts b/src/db/types.ts
@@ -138,6 +138,7 @@ export interface Sink {
   deleteRepo: (_id: string) => Promise<void>;
   findUser: (username: string) => Promise<User | null>;
   findUserByEmail: (email: string) => Promise<User | null>;
+  findUserByGitAccount: (gitAccount: string) => Promise<User | null>;
   findUserByOIDC: (oidcId: string) => Promise<User | null>;
   findUserBySSHKey: (sshKey: string) => Promise<User | null>;
   getUsers: (query?: Partial<UserQuery>) => Promise<User[]>;
diff --git a/src/proxy/chain.ts b/src/proxy/chain.ts
@@ -24,6 +24,7 @@ import { handleErrorAndLog } from '../utils/errors';
 
 const pushActionChain: ((req: Request, action: Action) => Promise<Action>)[] = [
   proc.push.parsePush,
+  proc.push.resolveUserFromToken,
   proc.push.checkEmptyBranch,
   proc.push.checkRepoInAuthorisedList,
   proc.push.checkCommitMessages,
diff --git a/src/proxy/processors/push-action/index.ts b/src/proxy/processors/push-action/index.ts
@@ -29,6 +29,7 @@ import { exec as checkIfWaitingAuth } from './checkIfWaitingAuth';
 import { exec as checkCommitMessages } from './checkCommitMessages';
 import { exec as checkAuthorEmails } from './checkAuthorEmails';
 import { exec as checkUserPushPermission } from './checkUserPushPermission';
+import { exec as resolveUserFromToken } from './resolveUserFromToken';
 
 import { exec as checkEmptyBranch } from './checkEmptyBranch';
 
@@ -47,5 +48,6 @@ export {
   checkCommitMessages,
   checkAuthorEmails,
   checkUserPushPermission,
+  resolveUserFromToken,
   checkEmptyBranch,
 };
diff --git a/src/proxy/processors/push-action/resolveUserFromToken.ts b/src/proxy/processors/push-action/resolveUserFromToken.ts
@@ -0,0 +1,116 @@
+/**
+ * Copyright 2026 GitProxy Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { Request } from 'express';
+
+import { Action, Step } from '../../actions';
+import { getProviderForHost } from './tokenIdentity';
+import { findUserByGitAccount } from '../../../db';
+import { getErrorMessage } from '../../../utils/errors';
+
+async function exec(req: Request, action: Action): Promise<Action> {
+  const step = new Step('resolveUserFromToken');
+
+  if (req.user) {
+    step.log(`User already resolved via session auth: ${action.user}`);
+    action.addStep(step);
+    return action;
+  }
+
+  try {
+    const authHeader = req.headers?.authorization;
+    if (!authHeader) {
+      step.log('No Authorization header — cannot resolve push identity from token');
+      action.addStep(step);
+      return action;
+    }
+
+    const [scheme, encoded] = authHeader.split(' ');
+    if (!scheme || !encoded || scheme.toLowerCase() !== 'basic') {
+      step.log('Authorization header is not Basic — cannot resolve push identity');
+      action.addStep(step);
+      return action;
+    }
+
+    const credentials = Buffer.from(encoded, 'base64').toString();
+    const separatorIndex = credentials.indexOf(':');
+    if (separatorIndex === -1) {
+      step.log('Malformed Basic auth credentials');
+      action.addStep(step);
+      return action;
+    }
+
+    const token = credentials.slice(separatorIndex + 1);
+
+    let hostname: string;
+    try {
+      hostname = new URL(action.url).hostname;
+    } catch {
+      step.log(`Cannot parse hostname from action URL: ${action.url}`);
+      action.addStep(step);
+      return action;
+    }
+
+    const provider = getProviderForHost(hostname);
+    if (!provider) {
+      step.log(`No token identity provider for host '${hostname}' — identity resolution skipped`);
+      action.addStep(step);
+      return action;
+    }
+
+    const identity = await provider.fetchScmIdentity(token);
+    if (!identity) {
+      step.log(
+        `${provider.name}: failed to resolve identity from token (invalid token or missing scope?)`,
+      );
+      action.addStep(step);
+      return action;
+    }
+
+    step.log(
+      `${provider.name}: resolved SCM identity from token: ${identity.login} (${identity.email ?? 'no public email'})`,
+    );
+
+    const user = await findUserByGitAccount(identity.login);
+    if (user) {
+      step.log(
+        `Mapped SCM identity '${identity.login}' to git-proxy user '${user.username}' (${user.email})`,
+      );
+      action.user = user.username;
+      action.userEmail = user.email;
+    } else {
+      step.log(
+        `No git-proxy user has gitAccount '${identity.login}' — ` +
+          `falling back to SCM identity. ` +
+          `Users can associate their account via PUT /api/v1/user/:username/git-account`,
+      );
+      action.user = identity.login;
+      if (identity.email) {
+        action.userEmail = identity.email;
+      }
+    }
+  } catch (error: unknown) {
+    const msg = getErrorMessage(error);
+    step.log(`Failed to resolve push identity from token: ${msg}`);
+  }
+
+  action.addStep(step);
+  return action;
+}
+
+exec.displayName = 'resolveUserFromToken.exec';
+
+export { exec };
diff --git a/src/proxy/processors/push-action/tokenIdentity.ts b/src/proxy/processors/push-action/tokenIdentity.ts
@@ -0,0 +1,73 @@
+/**
+ * Copyright 2026 GitProxy Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export type ScmUserInfo = {
+  login: string;
+  email?: string;
+};
+
+export interface TokenIdentityProvider {
+  readonly name: string;
+  matches(hostname: string): boolean;
+  fetchScmIdentity(token: string): Promise<ScmUserInfo | null>;
+}
+
+type GitHubUserResponse = {
+  login: string;
+  id: number;
+  email: string | null;
+};
+
+export class GitHubTokenIdentityProvider implements TokenIdentityProvider {
+  readonly name = 'github';
+
+  matches(hostname: string): boolean {
+    return hostname === 'github.com';
+  }
+
+  async fetchScmIdentity(token: string): Promise<ScmUserInfo | null> {
+    try {
+      const response = await fetch('https://api.github.com/user', {
+        headers: {
+          Authorization: `token ${token}`,
+          Accept: 'application/vnd.github+json',
+        },
+      });
+
+      if (!response.ok) {
+        console.warn(
+          `GitHub /user API returned ${response.status} — token may be invalid or lack read:user scope`,
+        );
+        return null;
+      }
+
+      const user: GitHubUserResponse = await response.json();
+      return {
+        login: user.login,
+        email: user.email ?? undefined,
+      };
+    } catch (e) {
+      console.warn(`Failed to fetch GitHub identity: ${e}`);
+      return null;
+    }
+  }
+}
+
+const providers: TokenIdentityProvider[] = [new GitHubTokenIdentityProvider()];
+
+export function getProviderForHost(hostname: string): TokenIdentityProvider | null {
+  return providers.find((p) => p.matches(hostname)) ?? null;
+}
diff --git a/src/service/routes/users.ts b/src/service/routes/users.ts
@@ -62,6 +62,56 @@ router.get('/:id', async (req: Request<{ id: string }>, res: Response) => {
   res.send(toPublicUser(user));
 });
 
+// Get git account (SCM identity) for a user
+router.get('/:username/git-account', async (req: Request<{ username: string }>, res: Response) => {
+  const targetUsername = req.params.username.toLowerCase();
+  const user = await db.findUser(targetUsername);
+  if (!user) {
+    res.status(404).json({ error: `User ${targetUsername} not found` });
+    return;
+  }
+  res.json({ username: user.username, gitAccount: user.gitAccount });
+});
+
+// Set git account (SCM identity) for a user
+router.put('/:username/git-account', async (req: Request<{ username: string }>, res: Response) => {
+  if (!req.user) {
+    res.status(401).json({ error: 'Authentication required' });
+    return;
+  }
+
+  const { username, admin } = req.user as { username: string; admin: boolean };
+  const targetUsername = req.params.username.toLowerCase();
+
+  if (username !== targetUsername && !admin) {
+    res.status(403).json({ error: 'Not authorized to update git account for this user' });
+    return;
+  }
+
+  const { gitAccount } = req.body;
+  if (!gitAccount || typeof gitAccount !== 'string' || !gitAccount.trim()) {
+    res.status(400).json({ error: 'gitAccount is required' });
+    return;
+  }
+
+  const existing = await db.findUser(targetUsername);
+  if (!existing) {
+    res.status(404).json({ error: `User ${targetUsername} not found` });
+    return;
+  }
+
+  const conflict = await db.findUserByGitAccount(gitAccount.trim());
+  if (conflict && conflict.username !== targetUsername) {
+    res
+      .status(409)
+      .json({ error: `Git account '${gitAccount}' is already associated with another user` });
+    return;
+  }
+
+  await db.updateUser({ username: targetUsername, gitAccount: gitAccount.trim() });
+  res.json({ username: targetUsername, gitAccount: gitAccount.trim() });
+});
+
 // Get SSH key fingerprints for a user
 router.get(
   '/:username/ssh-key-fingerprints',
diff --git a/test/chain.test.ts b/test/chain.test.ts
@@ -35,6 +35,7 @@ const initMockPushProcessors = () => {
     checkCommitMessages: vi.fn(),
     checkAuthorEmails: vi.fn(),
     checkUserPushPermission: vi.fn(),
+    resolveUserFromToken: vi.fn(),
     checkIfWaitingAuth: vi.fn(),
     checkHiddenCommits: vi.fn(),
     pullRemote: vi.fn(),
diff --git a/test/db/file/users.test.ts b/test/db/file/users.test.ts
diff --git a/test/db/mongo/user.test.ts b/test/db/mongo/user.test.ts
diff --git a/test/processors/resolveUserFromToken.test.ts b/test/processors/resolveUserFromToken.test.ts
diff --git a/test/services/routes/users.test.ts b/test/services/routes/users.test.ts
