feat(proxy): resolve push identity from token via SCM provider API (#1400)

parsePush incorrectly uses the last commit's committer as the push user.
This adds a new chain processor that extracts the token from HTTP Basic
auth, calls the SCM provider's user API (GitHub GET /user for now), and
maps the SCM login to a git-proxy user via the gitAccount field.

- TokenIdentityProvider interface with hostname-based dispatch
- GitHubTokenIdentityProvider calling api.github.com/user
- resolveUserFromToken chain processor (non-blocking on failure)
- findUserByGitAccount DB lookup (file + mongo)
- GET/PUT /api/v1/user/:username/git-account endpoints

Author: coopernetes

src/db/file/index.ts

@@ -39,6 +39,7 @@ export const {
 export const {
   findUser,
   findUserByEmail,
+  findUserByGitAccount,
   findUserByOIDC,
   findUserBySSHKey,
   getUsers,

src/db/file/users.ts

@@ -92,6 +92,19 @@ export const findUserByEmail = (email: string): Promise<User | null> => {
   });
 };
 
+export const findUserByGitAccount = (gitAccount: string): Promise<User | null> => {
+  return new Promise<User | null>((resolve, reject) => {
+    db.findOne({ gitAccount: gitAccount.toLowerCase() }, (err: Error | null, doc: User) => {
+      /* istanbul ignore if */
+      if (err) {
+        reject(err);
+      } else {
+        resolve(doc ?? null);
+      }
+    });
+  });
+};
+
 export const findUserByOIDC = function (oidcId: string): Promise<User | null> {
   return new Promise<User | null>((resolve, reject) => {
     db.findOne({ oidcId: oidcId }, (err: Error | null, doc: User) => {

src/db/index.ts

@@ -204,6 +204,8 @@ export const deleteRepo = (_id: string): Promise<void> => start().deleteRepo(_id
 export const findUser = (username: string): Promise<User | null> => start().findUser(username);
 export const findUserByEmail = (email: string): Promise<User | null> =>
   start().findUserByEmail(email);
+export const findUserByGitAccount = (gitAccount: string): Promise<User | null> =>
+  start().findUserByGitAccount(gitAccount);
 export const findUserByOIDC = (oidcId: string): Promise<User | null> =>
   start().findUserByOIDC(oidcId);
 export const findUserBySSHKey = (sshKey: string): Promise<User | null> =>

src/db/mongo/index.ts

@@ -39,6 +39,7 @@ export const {
 export const {
   findUser,
   findUserByEmail,
+  findUserByGitAccount,
   findUserByOIDC,
   findUserBySSHKey,
   getUsers,

src/db/mongo/users.ts

@@ -34,6 +34,12 @@ export const findUserByEmail = async function (email: string): Promise<User | nu
   return doc ? toClass(doc, User.prototype) : null;
 };
 
+export const findUserByGitAccount = async function (gitAccount: string): Promise<User | null> {
+  const collection = await connect(collectionName);
+  const doc = await collection.findOne({ gitAccount: { $eq: gitAccount.toLowerCase() } });
+  return doc ? toClass(doc, User.prototype) : null;
+};
+
 export const findUserByOIDC = async function (oidcId: string): Promise<User | null> {
   const collection = await connect(collectionName);
   const doc = await collection.findOne({ oidcId: { $eq: oidcId } });

src/db/types.ts

@@ -138,6 +138,7 @@ export interface Sink {
   deleteRepo: (_id: string) => Promise<void>;
   findUser: (username: string) => Promise<User | null>;
   findUserByEmail: (email: string) => Promise<User | null>;
+  findUserByGitAccount: (gitAccount: string) => Promise<User | null>;
   findUserByOIDC: (oidcId: string) => Promise<User | null>;
   findUserBySSHKey: (sshKey: string) => Promise<User | null>;
   getUsers: (query?: Partial<UserQuery>) => Promise<User[]>;

src/proxy/chain.ts

@@ -24,6 +24,7 @@ import { handleErrorAndLog } from '../utils/errors';
 
 const pushActionChain: ((req: Request, action: Action) => Promise<Action>)[] = [
   proc.push.parsePush,
+  proc.push.resolveUserFromToken,
   proc.push.checkEmptyBranch,
   proc.push.checkRepoInAuthorisedList,
   proc.push.checkCommitMessages,

src/proxy/processors/push-action/index.ts

@@ -29,6 +29,7 @@ import { exec as checkIfWaitingAuth } from './checkIfWaitingAuth';
 import { exec as checkCommitMessages } from './checkCommitMessages';
 import { exec as checkAuthorEmails } from './checkAuthorEmails';
 import { exec as checkUserPushPermission } from './checkUserPushPermission';
+import { exec as resolveUserFromToken } from './resolveUserFromToken';
 
 import { exec as checkEmptyBranch } from './checkEmptyBranch';
 
@@ -47,5 +48,6 @@ export {
   checkCommitMessages,
   checkAuthorEmails,
   checkUserPushPermission,
+  resolveUserFromToken,
   checkEmptyBranch,
 };

src/proxy/processors/push-action/resolveUserFromToken.ts

@@ -0,0 +1,125 @@
+/**
+ * Copyright 2026 GitProxy Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { Request } from 'express';
+
+import { Action, Step } from '../../actions';
+import { getProviderForHost, scmTokenCache } from './tokenIdentity';
+import { findUserByGitAccount } from '../../../db';
+import { getErrorMessage } from '../../../utils/errors';
+
+async function exec(req: Request, action: Action): Promise<Action> {
+  const step = new Step('resolveUserFromToken');
+
+  if (req.user) {
+    step.log(`User already resolved via session auth: ${action.user}`);
+    action.addStep(step);
+    return action;
+  }
+
+  try {
+    const authHeader = req.headers?.authorization;
+    if (!authHeader) {
+      step.log('No Authorization header — cannot resolve push identity from token');
+      action.addStep(step);
+      return action;
+    }
+
+    const [scheme, encoded] = authHeader.split(' ');
+    if (!scheme || !encoded || scheme.toLowerCase() !== 'basic') {
+      step.log('Authorization header is not Basic — cannot resolve push identity');
+      action.addStep(step);
+      return action;
+    }
+
+    const credentials = Buffer.from(encoded, 'base64').toString();
+    const separatorIndex = credentials.indexOf(':');
+    if (separatorIndex === -1) {
+      step.log('Malformed Basic auth credentials');
+      action.addStep(step);
+      return action;
+    }
+
+    const token = credentials.slice(separatorIndex + 1);
+
+    let hostname: string;
+    try {
+      hostname = new URL(action.url).hostname;
+    } catch {
+      step.log(`Cannot parse hostname from action URL: ${action.url}`);
+      action.addStep(step);
+      return action;
+    }
+
+    const provider = getProviderForHost(hostname);
+    if (!provider) {
+      step.log(`No token identity provider for host '${hostname}' — identity resolution skipped`);
+      action.addStep(step);
+      return action;
+    }
+
+    const cached = scmTokenCache.lookup(provider.name, token);
+    if (cached) {
+      step.log(`${provider.name}: resolved push identity from cache: ${cached}`);
+      action.user = cached;
+      action.addStep(step);
+      return action;
+    }
+
+    const identity = await provider.fetchScmIdentity(token);
+    if (!identity) {
+      step.log(
+        `${provider.name}: failed to resolve identity from token (invalid token or missing scope?)`,
+      );
+      action.addStep(step);
+      return action;
+    }
+
+    step.log(
+      `${provider.name}: resolved SCM identity from token: ${identity.login} (${identity.email ?? 'no public email'})`,
+    );
+
+    const user = await findUserByGitAccount(identity.login);
+    if (user) {
+      step.log(
+        `Mapped SCM identity '${identity.login}' to git-proxy user '${user.username}' (${user.email})`,
+      );
+      action.user = user.username;
+      action.userEmail = user.email;
+      scmTokenCache.store(provider.name, token, user.username);
+    } else {
+      step.log(
+        `No git-proxy user has gitAccount '${identity.login}' — ` +
+          `falling back to SCM identity. ` +
+          `Users can associate their account via PUT /api/v1/user/:username/git-account`,
+      );
+      action.user = identity.login;
+      if (identity.email) {
+        action.userEmail = identity.email;
+      }
+    }
+  } catch (error: unknown) {
+    const msg = getErrorMessage(error);
+    step.log(`Failed to resolve push identity from token: ${msg}`);
+  }
+
+  action.addStep(step);
+  return action;
+}
+
+exec.displayName = 'resolveUserFromToken.exec';
+
+export { exec };

src/proxy/processors/push-action/tokenIdentity.ts

@@ -0,0 +1,114 @@
+/**
+ * Copyright 2026 GitProxy Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import crypto from 'crypto';
+
+export type ScmUserInfo = {
+  login: string;
+  email?: string;
+};
+
+type CacheEntry = { username: string; provider: string; cachedAt: number };
+const DEFAULT_TTL_MS = 5 * 60 * 1000;
+
+export class ScmTokenCache {
+  private readonly cache = new Map<string, CacheEntry>();
+  private readonly ttlMs: number;
+
+  constructor(ttlMs = DEFAULT_TTL_MS) {
+    this.ttlMs = ttlMs;
+  }
+
+  private key(provider: string, token: string): string {
+    return crypto.createHash('sha512').update(`${provider}:${token}`).digest('hex');
+  }
+
+  lookup(provider: string, token: string): string | null {
+    const k = this.key(provider, token);
+    const entry = this.cache.get(k);
+    if (!entry) return null;
+    if (Date.now() - entry.cachedAt > this.ttlMs) {
+      this.cache.delete(k);
+      return null;
+    }
+    return entry.username;
+  }
+
+  store(provider: string, token: string, username: string): void {
+    this.cache.set(this.key(provider, token), { username, provider, cachedAt: Date.now() });
+  }
+
+  evictByUsername(provider: string, username: string): void {
+    for (const [k, entry] of this.cache.entries()) {
+      if (entry.username === username && entry.provider === provider) this.cache.delete(k);
+    }
+  }
+}
+
+export const scmTokenCache = new ScmTokenCache();
+
+export interface TokenIdentityProvider {
+  readonly name: string;
+  matches(hostname: string): boolean;
+  fetchScmIdentity(token: string): Promise<ScmUserInfo | null>;
+}
+
+type GitHubUserResponse = {
+  login: string;
+  id: number;
+  email: string | null;
+};
+
+export class GitHubTokenIdentityProvider implements TokenIdentityProvider {
+  readonly name = 'github';
+
+  matches(hostname: string): boolean {
+    return hostname === 'github.com';
+  }
+
+  async fetchScmIdentity(token: string): Promise<ScmUserInfo | null> {
+    try {
+      const response = await fetch('https://api.github.com/user', {
+        headers: {
+          Authorization: `token ${token}`,
+          Accept: 'application/vnd.github+json',
+        },
+      });
+
+      if (!response.ok) {
+        console.warn(
+          `GitHub /user API returned ${response.status} — token may be invalid or lack read:user scope`,
+        );
+        return null;
+      }
+
+      const user: GitHubUserResponse = await response.json();
+      return {
+        login: user.login,
+        email: user.email ?? undefined,
+      };
+    } catch (e) {
+      console.warn(`Failed to fetch GitHub identity: ${e}`);
+      return null;
+    }
+  }
+}
+
+const providers: TokenIdentityProvider[] = [new GitHubTokenIdentityProvider()];
+
+export function getProviderForHost(hostname: string): TokenIdentityProvider | null {
+  return providers.find((p) => p.matches(hostname)) ?? null;
+}