Skip to content

Latest commit

 

History

History
125 lines (99 loc) · 3.59 KB

test-user-attribution.md

File metadata and controls

125 lines (99 loc) · 3.59 KB

User Attribution Test Guide

This guide explains how to test that tokens generated by this worker properly attribute actions to users with the GitHub App badge.

What Changed

Before (❌ Wrong):

  • The /token endpoint generated installation tokens
  • Actions showed as "app/as-a-bot" (app as the author)
  • No user attribution

After (✅ Correct):

  • Device flow and OAuth endpoints generate user-to-server tokens
  • Actions show as "username" with app badge (user as the author)
  • Proper user attribution in audit logs

How to Test

Method 1: Device Flow Test

# Start the device flow
curl -X POST https://your-worker.workers.dev/user-token/start \
  -H "Content-Type: application/json" \
  -d '{"scopes": "repo"}'

# Response will contain:
# {
#   "device_code": "...",
#   "user_code": "ABCD-1234", 
#   "verification_uri": "https://github.com/login/device",
#   "expires_in": 900,
#   "interval": 5
# }

# Go to the verification_uri and enter the user_code
# Then poll for the token:

curl -X POST https://your-worker.workers.dev/user-token/poll \
  -H "Content-Type: application/json" \
  -d '{"device_code": "YOUR_DEVICE_CODE"}'

# Response will contain the user-to-server token:
# {
#   "access_token": "ghu_...",  # This is a user-to-server token!
#   "token_type": "bearer",
#   "expires_at": "...",
#   "scope": "repo"
# }

Method 2: Web OAuth Flow Test

# Start OAuth flow
curl -X POST https://your-worker.workers.dev/oauth/authorize \
  -H "Content-Type: application/json" \
  -d '{"scopes": "repo", "state": "test123"}'

# Response:
# {
#   "authorization_url": "https://github.com/login/oauth/authorize?client_id=...&scope=repo&state=test123",
#   "message": "Redirect user to authorization_url to complete OAuth flow"
# }

# User visits the authorization_url and approves
# GitHub redirects to your callback with a code
# Then exchange the code:

curl -X POST https://your-worker.workers.dev/oauth/callback \
  -H "Content-Type: application/json" \
  -d '{"code": "AUTH_CODE_FROM_CALLBACK", "state": "test123"}'

# Response contains user-to-server token:
# {
#   "access_token": "ghu_...",  # User-to-server token!
#   "token_type": "bearer", 
#   "expires_at": "...",
#   "scope": "repo",
#   "state": "test123"
# }

Verifying User Attribution

Use the token to make a GitHub API request (e.g., create an issue):

curl -X POST https://api.github.com/repos/OWNER/REPO/issues \
  -H "Authorization: Bearer YOUR_USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Test issue from user-to-server token",
    "body": "This should show the user as the author with app badge"
  }'

Expected Result:

  • Issue will show your username as the author
  • App badge will appear next to your name
  • Activity will be attributed to you, not the app

In GitHub's audit logs:

{
  "action": "issues.create",
  "actor": "your-username",
  "programmatic_access_type": "GitHub App user-to-server token"
}

Key Differences in Token Types

Token Type Endpoint Author Shown Attribution
Installation Token /token (removed) app/as-a-bot App
User-to-Server Token /user-token/*, /oauth/* username + badge User

Why This Works

  1. Device Flow: Uses GitHub's OAuth Device Authorization Grant
  2. Web OAuth: Uses standard OAuth 2.0 Authorization Code flow
  3. Both flows generate proper user-to-server tokens
  4. User-to-server tokens maintain user identity while showing app association
  5. Installation tokens (removed) always act as the app, never the user