Date Completed: 2025-10-11
The migration from Personal Access Token (PAT) authentication to GitHub App authentication for repository operations is now complete.
World Driven now uses GitHub App authentication exclusively for repository operations (PR management, webhooks, etc.). User OAuth authentication is still used for UI login and user-specific API calls.
- Multi-owner resilience - Survives individual user departures
- Better security - Fine-grained permissions per repository
- Automatic token management - No expired tokens to manage
- Organization support - Works seamlessly with GitHub organizations
- Official GitHub recommendation - Future-proof approach
The repositories collection uses GitHub App authentication:
{
_id: ObjectId(),
owner: "TooAngel",
repo: "screeps",
installationId: 12345678, // Required: GitHub App installation ID
configured: true,
createdAt: Date,
updatedAt: Date
}Note: The userId field has been removed. User OAuth tokens are no longer used for repository operations.
Repository Operations (PR management, webhooks):
- GitHub App (Priority 1): Uses
installationIdfrom repository configuration - Worlddriven Token (Priority 2): Uses
WORLDDRIVEN_GITHUB_TOKENenvironment variable for public repositories - Error: If repository has no
installationId, it cannot be processed
User-Specific Operations (UI, user API calls):
- Users log in via OAuth and their token is used for user-specific API endpoints like
/v1/repositories - This provides better rate limits for authenticated users
Repository Access:
- New
Authclass provides authentication strategy for repository operations GitHubClientclass handles GitHub API requests with automatic auth fallback- Uses GitHub App installation ID, never user tokens
User-Specific Access:
- Legacy hybrid functions in
src/helpers/github.jsaccept user object OR installation ID - User-authenticated routes (like
/v1/repositories/:owner/:repo) use user tokens - Provides better rate limits for logged-in users viewing their own repositories
Example:
// Repository operations (PR processing, webhooks)
const auth = new Auth({ owner, repo });
const githubClient = new GitHubClient(auth);
await githubClient.getPullRequest(owner, repo, number);
// User-specific operations (user's repo list)
const repos = await fetch('https://api.github.com/user/repos', {
headers: { Authorization: `token ${user.githubAccessToken}` }
});Add these new environment variables for GitHub App support:
# GitHub App Configuration
GITHUB_APP_ID=your_app_id
GITHUB_APP_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----..."
GITHUB_WEBHOOK_SECRET=your_webhook_secret
GITHUB_APP_NAME=world-driven # Optional, for installation URL
# Keep existing OAuth for backward compatibility
GITHUB_CLIENT_ID=existing_oauth_client_id
GITHUB_CLIENT_SECRET=existing_oauth_secret- Login: Visit
/loginto authenticate with GitHub OAuth (for UI access) - Install App: Visit
/install-appto install the World Driven GitHub App - Select Repositories: Choose which repositories to enable World Driven on
- Automatic Configuration: Repositories will be automatically configured with GitHub App authentication
Note: User OAuth login is required to access the UI, but repository operations use the GitHub App, not user tokens.
When the GitHub App is installed on repositories that already exist in the database (from PAT setup), the system automatically:
- Updates the repository record to include
installationId - Keeps the existing
userIdfor backward compatibility - Switches to GitHub App authentication for all operations
To migrate existing PAT repositories to GitHub App:
- Install the GitHub App on your account/organization
- Select the repositories you want to migrate
- The web hook handlers will automatically update the database
Run the migration script to add the installationId field to existing repositories:
node scripts/add-installation-field.jsThe GitHub App handles additional web hook events:
installation- App installed/uninstalledinstallation_repositories- Repositories added/removed from installationpull_request- Pull request events (existing)pull_request_review- Review events (existing)push- Push events (existing)
The application logs authentication method for each repository during processing:
Using GitHub App authentication (installation: 12345678)
If a repository has no GitHub App installed:
No GitHub App configured for owner/repo
Changes Made:
- ✅ Removed
userIdfield from repository schema - ✅ Removed PAT authentication for repository operations
- ✅ All repository processing uses GitHub App only
- ✅ OAuth login maintained for UI access and user-specific operations
- ✅ Users collection preserved (needed for OAuth login)
What's Kept:
- OAuth login flow at
/login(for UI access) - User tokens for user-specific API calls (better rate limits)
- Users collection in database (for session management)
- Hybrid functions in
github.js(for backward compatibility in user routes)
Check the authentication method in logs:
- If "No GitHub App configured", install the GitHub App on the repository
- If "HTTP 401: Unauthorized", the GitHub App installation may have insufficient permissions or been uninstalled
- Verify the repository is included in the GitHub App installation
- Verify the app is installed on the repository owner's account
- Check that the repository is included in the installation
- Ensure web hook URL is correctly configured
- Verify environment variables are set correctly
- GitHub App tokens are automatically managed and refresh
- User OAuth tokens may expire (only affects UI login, not repository operations)
- Check GitHub App permissions if repository operations fail
Test the complete flow:
- User Login: Verify OAuth login flow at
/loginworks - App Installation: Install GitHub App on a test repository
- Web Hooks: Verify web hook events are received and processed
- PR Processing: Check that pull requests are processed correctly with GitHub App authentication
- Public API: Verify anonymous users can view PR data via fallback token
- User API: Verify logged-in users can list their repositories with their OAuth token