feat: enhance GitHub access token handling and notification scope val…

…idation

src/home/fetch-github/fetch-notifications.ts

@@ -17,4 +17,4 @@ export async function fetchNotifications(): Promise<GitHubNotification[]> {
   });
 
   return notifications;
-}
+}

src/home/getters/get-github-access-token.ts

@@ -27,19 +27,18 @@ export async function isOrgMemberWithoutScope() {
 }
 
 export async function getGitHubAccessToken(): Promise<string | null> {
-  // better to use official function, looking up localstorage has flaws
   const oauthToken = await checkSupabaseSession();
 
-  const expiresAt = oauthToken?.expires_at;
-  if (expiresAt) {
-    if (expiresAt < Date.now() / 1000) {
-      localStorage.removeItem(`sb-${SUPABASE_STORAGE_KEY}-auth-token`);
-      return null;
-    }
-  }
-
   const accessToken = oauthToken?.provider_token;
   if (accessToken) {
+    const octokit = new Octokit({ auth: accessToken });
+    const { headers } = await octokit.request("HEAD /");
+    const scopes = headers["x-oauth-scopes"]?.split(", ") || [];
+
+    if (!scopes.includes("notifications")) {
+      throw new Error("Missing the 'notifications' scope. Please re-authorize the application with the correct scopes.");
+    }
+
     return accessToken;
   }
 

src/home/notification-manager.ts

@@ -1,6 +1,6 @@
 import { fetchNotifications } from "./fetch-github/fetch-notifications";
 import { getGitHubAccessToken } from "./getters/get-github-access-token";
-import { setLocalStore, getLocalStore } from "./getters/get-local-store";
+import { getLocalStore, setLocalStore } from "./getters/get-local-store";
 import { GITHUB_NOTIFICATIONS_STORAGE_KEY, GitHubNotification, NotificationStorageItems } from "./github-types";
 
 export class NotificationManager {
@@ -45,4 +45,4 @@ export class NotificationManager {
       loggedIn: accessToken !== null,
     });
   }
-}
+}

src/home/rendering/render-github-login-button.ts

@@ -28,7 +28,7 @@ export async function checkSupabaseSession() {
   return session;
 }
 
-async function gitHubLoginButtonHandler(scopes = "public_repo read:org") {
+async function gitHubLoginButtonHandler(scopes: string) {
   const redirectTo = window.location.href;
   const { error } = await supabase.auth.signInWithOAuth({
     provider: "github",
@@ -46,7 +46,7 @@ const augmentAccessButton = document.createElement("button");
 export function renderAugmentAccessButton() {
   augmentAccessButton.id = "augment-access-button";
   augmentAccessButton.innerHTML = `<span title="Allow access to private repositories"><svg viewBox="0 0 24 24" class="svg-icon"><path d="M12 17c1.1 0 2-.9 2-2s-.9-2-2-2-2 .9-2 2 .9 2 2 2m6-9h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6h1.9c0-1.71 1.39-3.1 3.1-3.1 1.71 0 3.1 1.39 3.1 3.1v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2m0 12H6V10h12z"></path></svg><span/>`;
-  augmentAccessButton.addEventListener("click", () => gitHubLoginButtonHandler("repo read:org"));
+  augmentAccessButton.addEventListener("click", () => gitHubLoginButtonHandler("repo read:org notifications"));
   return augmentAccessButton;
 }
 
@@ -55,7 +55,7 @@ export const authenticationElement = document.getElementById("authentication") a
 export function renderGitHubLoginButton() {
   gitHubLoginButton.id = "github-login-button";
   gitHubLoginButton.innerHTML = "<span>Login</span><span class='full'>&nbsp;With GitHub</span>";
-  gitHubLoginButton.addEventListener("click", () => gitHubLoginButtonHandler());
+  gitHubLoginButton.addEventListener("click", () => gitHubLoginButtonHandler("public_repo read:org notifications"));
   if (authenticationElement) {
     authenticationElement.appendChild(gitHubLoginButton);
     authenticationElement.classList.add("ready");