Add bearer_auth config toggle for Authorization scheme#13400
Open
williammartin wants to merge 11 commits into
Open
Add bearer_auth config toggle for Authorization scheme#13400williammartin wants to merge 11 commits into
bearer_auth config toggle for Authorization scheme#13400williammartin wants to merge 11 commits into
Conversation
williammartin
force-pushed
the
wm-uber-auth-schema
branch
4 times, most recently
from
340416f to
937d129
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new configuration toggle (bearer_auth) and env var (GH_BEARER_AUTH) to control whether gh uses Authorization: token … (default) or Authorization: Bearer … when attaching auth tokens to HTTP requests, including during login/refresh/status flows.
Changes:
- Introduces
bearer_authconfig option (per-host) andAuthConfig.BearerAuth(host)resolution (env var override + config lookup). - Updates auth-related HTTP requests and transports to emit
Bearerwhen enabled, and threads the toggle through login, refresh, status, and OAuth viewer verification. - Expands tests to cover config/env resolution and Authorization header behavior.
Show a summary per file
| File | Description |
|---|---|
| pkg/cmd/config/list/list_test.go | Updates config listing expectations to include bearer_auth. |
| pkg/cmd/auth/status/status.go | Threads bearer-auth setting into scope lookup during gh auth status. |
| pkg/cmd/auth/shared/oauth_scopes.go | Updates scope-check requests to use the configured Authorization scheme. |
| pkg/cmd/auth/shared/oauth_scopes_test.go | Adds coverage asserting Bearer Authorization header behavior. |
| pkg/cmd/auth/shared/login_flow.go | Threads bearer-auth through login flow and centralizes header formatting in helper. |
| pkg/cmd/auth/refresh/refresh.go | Threads bearer-auth through refresh flow and scope discovery. |
| pkg/cmd/auth/refresh/refresh_test.go | Updates refresh tests for new AuthFlow signature. |
| pkg/cmd/auth/login/login.go | Uses bearer-auth setting when validating token and fetching current login. |
| pkg/cmd/api/api_test.go | Switches some tests to use isolated test config instead of a ConfigMock. |
| internal/gh/mock/config.go | Extends generated ConfigMock with BearerAuth support (but needs import formatting fix). |
| internal/gh/gh.go | Extends gh.Config and gh.AuthConfig interfaces to support bearer-auth. |
| internal/config/stub.go | Ensures config stub forwards BearerAuth lookups. |
| internal/config/config.go | Adds bearer_auth config plumbing, defaults, and env/config resolution in AuthConfig. |
| internal/config/auth_config_test.go | Adds tests for AuthConfig.BearerAuth behavior (default/global/host/env). |
| internal/authflow/flow.go | Threads bearer-auth into OAuth viewer lookup used after OAuth flow. |
| internal/authflow/flow_test.go | Adds test asserting Bearer Authorization header in OAuth viewer lookup. |
| api/http_client.go | Updates AddAuthTokenHeader to select token vs Bearer per host. |
| api/http_client_test.go | Adds coverage for Bearer Authorization header in HTTP client transport. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Files not reviewed (1)
- internal/gh/mock/config.go: Language not supported
- Files reviewed: 17/18 changed files
- Comments generated: 1
williammartin
force-pushed
the
wm-uber-auth-schema
branch
from
1734423 to
6e63141
Compare
williammartin
commented
May 13, 2026
| type tokenGetter interface { | ||
| ActiveToken(string) (string, string) | ||
| } | ||
| type getTokenFunc func(string) (string, string) |
Member
Author
There was a problem hiding this comment.
This is cleaning up some code that had obviously become stale when the config used to be provided here.
williammartin
commented
May 13, 2026
|
|
||
| var falseyValues = []string{"", "0", "false", "no", "disabled", "off"} | ||
|
|
||
| func IsTruthy(name string) bool { |
Member
Author
There was a problem hiding this comment.
This could be used in other places and should have a follow up PR. It's repeated a few times around the codebase.
Member
Author
There was a problem hiding this comment.
I also suspect it should maybe go into go-gh to form a consistent basis for any extensions too, but that can be a follow up.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove BearerAuth(hostname string) bool from the AuthConfig interface and implementation. Bearer auth is a general config setting, not an auth-domain concern, so it belongs on Config alongside other settings like browser, editor, and git_protocol. Update cfg.BearerAuth to check the GH_BEARER_AUTH environment variable first, returning a new ConfigEnvironmentProvided source, before falling back to the standard GetOrDefault config resolution. Split the tokenGetter interface in api/http_client.go so it only contains ActiveToken. Bearer auth is now passed as a separate function via HTTPClientOptions.BearerAuth, with nil-safety defaulting to false. Add an acceptance test verifying that GH_DEBUG=api output shows the correct auth scheme (token vs Bearer) based on GH_BEARER_AUTH. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace tokenGetter interface with getTokenFunc in HTTPClientOptions - Replace BearerAuth func(string) bool with GetBearerConfig gh.ConfigGetter - Move GH_BEARER_AUTH env var check to shouldUseBearerAuth in api package - Remove unused notice parameter from AuthFlow - Add ConfigGetter type and remove ConfigEnvironmentProvided source Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace tinyConfig map type with stubGetToken helper function - Add disabledBearerConfig for test defaults - Remove nil guard on getBearerConfig in shouldUseBearerAuth - All callers now explicitly provide GetBearerConfig Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Export ShouldUseBearerAuth to centralize env var and config checks - Change GetScopes, HasMinimumScopes, GetCurrentLogin to take gh.ConfigGetter - Replace authTokenHeader with authScheme using api.ShouldUseBearerAuth - Update status.go buildEntryOptions to use gh.ConfigGetter - Add acceptance test for auth status with GH_BEARER_AUTH Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add factory HTTP client coverage via gh repo view. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
If getBearerConfig is not provided, default to disabled rather than panicking with a nil pointer dereference. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
williammartin
force-pushed
the
wm-uber-auth-schema
branch
from
f2c666b to
f4b6e8a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #11727
Adds a
bearer_authconfig setting andGH_BEARER_AUTHenvironment variable to control the Authorization header scheme used in HTTP requests.When enabled,
Authorization: token <TOKEN>becomesAuthorization: Bearer <TOKEN>.Acceptance Test
Companion PR
The corresponding
go-ghchanges for extension support: cli/go-gh#222