Merge pull request #569 from Chris0Jeky/feature/539-github-oauth

Add GitHub OAuth login for cloud instance

Author: Chris0Jeky

backend/src/Taskdeck.Api/Controllers/AuthController.cs

@@ -1,3 +1,6 @@
+using System.Collections.Concurrent;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.RateLimiting;
 using Taskdeck.Api.Contracts;
@@ -7,20 +10,28 @@
 using Taskdeck.Application.DTOs;
 using Taskdeck.Application.Services;
 using Taskdeck.Domain.Exceptions;
+using AuthenticationService = Taskdeck.Application.Services.AuthenticationService;
 
 namespace Taskdeck.Api.Controllers;
 
 public record ChangePasswordRequest(Guid UserId, string CurrentPassword, string NewPassword);
+public record ExchangeCodeRequest(string Code);
 
 [ApiController]
 [Route("api/auth")]
 public class AuthController : ControllerBase
 {
     private readonly AuthenticationService _authService;
+    private readonly GitHubOAuthSettings _gitHubOAuthSettings;
 
-    public AuthController(AuthenticationService authService)
+    // Short-lived, single-use authorization codes to avoid exposing JWT in URLs.
+    // Key: code, Value: (token, expiry). Codes expire after 60 seconds.
+    private static readonly ConcurrentDictionary<string, (AuthResultDto Result, DateTimeOffset Expiry)> _authCodes = new();
+
+    public AuthController(AuthenticationService authService, GitHubOAuthSettings gitHubOAuthSettings)
     {
         _authService = authService;
+        _gitHubOAuthSettings = gitHubOAuthSettings;
     }
 
     [HttpPost("login")]
@@ -56,4 +67,145 @@ public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest
         var result = await _authService.ChangePasswordAsync(request.UserId, request.CurrentPassword, request.NewPassword);
         return result.IsSuccess ? NoContent() : result.ToErrorActionResult();
     }
+
+    /// <summary>
+    /// Initiates GitHub OAuth login flow. Only available when GitHub OAuth is configured.
+    /// </summary>
+    [HttpGet("github/login")]
+    [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
+    public IActionResult GitHubLogin([FromQuery] string? returnUrl = null)
+    {
+        if (!_gitHubOAuthSettings.IsConfigured)
+            return NotFound(new ApiErrorResponse(ErrorCodes.NotFound, "GitHub OAuth is not configured"));
+
+        // Validate returnUrl to prevent open redirect
+        if (!string.IsNullOrWhiteSpace(returnUrl) && !Url.IsLocalUrl(returnUrl))
+            return BadRequest(new ApiErrorResponse(ErrorCodes.ValidationError, "Invalid return URL"));
+
+        var properties = new Microsoft.AspNetCore.Authentication.AuthenticationProperties
+        {
+            RedirectUri = Url.Action(nameof(GitHubCallback), new { returnUrl }),
+            Items = { { "LoginProvider", "GitHub" } }
+        };
+
+        return Challenge(properties, "GitHub");
+    }
+
+    /// <summary>
+    /// Handles the GitHub OAuth callback, creates/links the user, and redirects with a JWT token.
+    /// </summary>
+    [HttpGet("github/callback")]
+    [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
+    public async Task<IActionResult> GitHubCallback([FromQuery] string? returnUrl = null)
+    {
+        if (!_gitHubOAuthSettings.IsConfigured)
+            return NotFound(new ApiErrorResponse(ErrorCodes.NotFound, "GitHub OAuth is not configured"));
+
+        var authenticateResult = await HttpContext.AuthenticateAsync("GitHub");
+        if (!authenticateResult.Succeeded || authenticateResult.Principal == null)
+        {
+            return Unauthorized(new ApiErrorResponse(
+                ErrorCodes.AuthenticationFailed,
+                "GitHub authentication failed"));
+        }
+
+        var claims = authenticateResult.Principal.Claims.ToList();
+        var providerUserId = claims.FirstOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
+        var username = claims.FirstOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.Name)?.Value
+                       ?? claims.FirstOrDefault(c => c.Type == "urn:github:login")?.Value;
+        var email = claims.FirstOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.Email)?.Value;
+        var displayName = claims.FirstOrDefault(c => c.Type == "urn:github:name")?.Value;
+        var avatarUrl = claims.FirstOrDefault(c => c.Type == "urn:github:avatar")?.Value;
+
+        if (string.IsNullOrWhiteSpace(providerUserId))
+        {
+            return Unauthorized(new ApiErrorResponse(
+                ErrorCodes.AuthenticationFailed,
+                "GitHub did not return a user identifier"));
+        }
+
+        // GitHub may not return an email if user's email is private
+        if (string.IsNullOrWhiteSpace(email))
+            email = $"{providerUserId}@users.noreply.github.com";
+
+        if (string.IsNullOrWhiteSpace(username))
+            username = $"github-user-{providerUserId}";
+
+        var dto = new ExternalLoginDto(
+            Provider: "GitHub",
+            ProviderUserId: providerUserId,
+            Username: username,
+            Email: email,
+            DisplayName: displayName,
+            AvatarUrl: avatarUrl);
+
+        var result = await _authService.ExternalLoginAsync(dto);
+
+        if (!result.IsSuccess)
+            return result.ToErrorActionResult();
+
+        // Sign out the temporary cookie used during the OAuth handshake
+        await HttpContext.SignOutAsync("GitHub");
+
+        // Security: Do NOT put the JWT in the URL. Use a short-lived, single-use
+        // authorization code that the frontend exchanges via POST.
+        var code = GenerateAuthCode();
+        _authCodes[code] = (result.Value, DateTimeOffset.UtcNow.AddSeconds(60));
+        CleanupExpiredCodes();
+
+        var safeReturnUrl = !string.IsNullOrWhiteSpace(returnUrl) && Url.IsLocalUrl(returnUrl)
+            ? returnUrl
+            : "/";
+
+        var separator = safeReturnUrl.Contains('?') ? "&" : "?";
+        return Redirect($"{safeReturnUrl}{separator}oauth_code={Uri.EscapeDataString(code)}");
+    }
+
+    /// <summary>
+    /// Exchanges a short-lived OAuth authorization code for a JWT token.
+    /// The code is single-use and expires after 60 seconds.
+    /// </summary>
+    [HttpPost("github/exchange")]
+    [EnableRateLimiting(RateLimitingPolicyNames.AuthPerIp)]
+    public IActionResult ExchangeCode([FromBody] ExchangeCodeRequest request)
+    {
+        if (string.IsNullOrWhiteSpace(request.Code))
+            return BadRequest(new ApiErrorResponse(ErrorCodes.ValidationError, "Code is required"));
+
+        if (!_authCodes.TryRemove(request.Code, out var entry))
+            return Unauthorized(new ApiErrorResponse(ErrorCodes.AuthenticationFailed, "Invalid or expired code"));
+
+        if (DateTimeOffset.UtcNow > entry.Expiry)
+            return Unauthorized(new ApiErrorResponse(ErrorCodes.AuthenticationFailed, "Code has expired"));
+
+        return Ok(entry.Result);
+    }
+
+    /// <summary>
+    /// Returns whether GitHub OAuth login is available on this instance.
+    /// </summary>
+    [HttpGet("providers")]
+    public IActionResult GetProviders()
+    {
+        return Ok(new
+        {
+            GitHub = _gitHubOAuthSettings.IsConfigured
+        });
+    }
+
+    private static string GenerateAuthCode()
+    {
+        var bytes = RandomNumberGenerator.GetBytes(32);
+        return Convert.ToBase64String(bytes).Replace("+", "-").Replace("/", "_").TrimEnd('=');
+    }
+
+    private static void CleanupExpiredCodes()
+    {
+        var now = DateTimeOffset.UtcNow;
+        foreach (var kvp in _authCodes)
+        {
+            if (now > kvp.Value.Expiry)
+                _authCodes.TryRemove(kvp.Key, out _);
+        }
+    }
 }

backend/src/Taskdeck.Api/Extensions/AuthenticationRegistration.cs

@@ -1,18 +1,22 @@
+using System.Security.Claims;
 using System.Text;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authentication.OAuth.Claims;
 using Microsoft.IdentityModel.Tokens;
-using Microsoft.Net.Http.Headers;
 using Taskdeck.Api.Contracts;
 using Taskdeck.Application.Services;
 using Taskdeck.Domain.Exceptions;
+using HeaderNames = Microsoft.Net.Http.Headers.HeaderNames;
 
 namespace Taskdeck.Api.Extensions;
 
 public static class AuthenticationRegistration
 {
     public static IServiceCollection AddTaskdeckAuthentication(
         this IServiceCollection services,
-        JwtSettings jwtSettings)
+        JwtSettings jwtSettings,
+        GitHubOAuthSettings? gitHubOAuthSettings = null)
     {
         if (string.IsNullOrWhiteSpace(jwtSettings.SecretKey) ||
             jwtSettings.SecretKey.Length < 32 ||
@@ -22,7 +26,7 @@ public static IServiceCollection AddTaskdeckAuthentication(
             return services;
         }
 
-        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+        var authBuilder = services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddJwtBearer(options =>
             {
                 options.TokenValidationParameters = new TokenValidationParameters
@@ -81,6 +85,34 @@ await context.Response.WriteAsJsonAsync(new ApiErrorResponse(
                 };
             });
 
+        // Environment-gated: only add GitHub OAuth when configured
+        if (gitHubOAuthSettings is { IsConfigured: true })
+        {
+            authBuilder.AddOAuth("GitHub", options =>
+            {
+                options.ClientId = gitHubOAuthSettings.ClientId;
+                options.ClientSecret = gitHubOAuthSettings.ClientSecret;
+                options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize";
+                options.TokenEndpoint = "https://github.com/login/oauth/access_token";
+                options.UserInformationEndpoint = "https://api.github.com/user";
+                options.CallbackPath = "/api/auth/github/oauth-redirect";
+                options.SaveTokens = false;
+
+                options.Scope.Add("read:user");
+                options.Scope.Add("user:email");
+
+                options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
+                options.ClaimActions.MapJsonKey(ClaimTypes.Name, "login");
+                options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
+                options.ClaimActions.MapJsonKey("urn:github:name", "name");
+                options.ClaimActions.MapJsonKey("urn:github:login", "login");
+                options.ClaimActions.MapJsonKey("urn:github:avatar", "avatar_url");
+
+                // OAuthHandler fetches UserInformationEndpoint automatically
+                // and applies ClaimActions — no custom OnCreatingTicket needed.
+            });
+        }
+
         return services;
     }
 

backend/src/Taskdeck.Api/Extensions/SettingsRegistration.cs

@@ -10,7 +10,8 @@ public static IServiceCollection AddTaskdeckSettings(
         IHostEnvironment environment,
         out ObservabilitySettings observabilitySettings,
         out RateLimitingSettings rateLimitingSettings,
-        out JwtSettings jwtSettings)
+        out JwtSettings jwtSettings,
+        out GitHubOAuthSettings gitHubOAuthSettings)
     {
         observabilitySettings = configuration
             .GetSection("Observability")
@@ -41,6 +42,9 @@ public static IServiceCollection AddTaskdeckSettings(
         jwtSettings = configuration.GetSection("Jwt").Get<JwtSettings>() ?? new JwtSettings();
         services.AddSingleton(jwtSettings);
 
+        gitHubOAuthSettings = configuration.GetSection("GitHubOAuth").Get<GitHubOAuthSettings>() ?? new GitHubOAuthSettings();
+        services.AddSingleton(gitHubOAuthSettings);
+
         var sandboxSettings = configuration.GetSection("DevelopmentSandbox").Get<DevelopmentSandboxSettings>() ?? new DevelopmentSandboxSettings();
         sandboxSettings.Enabled = sandboxSettings.Enabled && environment.IsDevelopment();
         services.AddSingleton(sandboxSettings);

backend/src/Taskdeck.Api/Program.cs

@@ -29,7 +29,8 @@
     builder.Environment,
     out var observabilitySettings,
     out var rateLimitingSettings,
-    out var jwtSettings);
+    out var jwtSettings,
+    out var gitHubOAuthSettings);
 
 // Add Infrastructure (DbContext, Repositories)
 builder.Services.AddInfrastructure(builder.Configuration);
@@ -44,8 +45,8 @@
 builder.Services.AddHttpContextAccessor();
 builder.Services.AddScoped<Taskdeck.Application.Interfaces.IUserContext, Taskdeck.Infrastructure.Identity.UserContext>();
 
-// Add JWT Authentication
-builder.Services.AddTaskdeckAuthentication(jwtSettings);
+// Add JWT Authentication (with optional GitHub OAuth)
+builder.Services.AddTaskdeckAuthentication(jwtSettings, gitHubOAuthSettings);
 
 // Add OpenTelemetry observability
 builder.Services.AddTaskdeckObservability(observabilitySettings);

backend/src/Taskdeck.Api/appsettings.json

@@ -73,6 +73,10 @@
     "XFrameOptions": "DENY",
     "ReferrerPolicy": "no-referrer"
   },
+  "GitHubOAuth": {
+    "ClientId": "",
+    "ClientSecret": ""
+  },
   "AllowedHosts": "*",
   "ConnectionStrings": {
     "DefaultConnection": "Data Source=taskdeck.db"

backend/src/Taskdeck.Application/DTOs/UserDtos.cs

@@ -29,3 +29,11 @@ public record LoginDto(
 public record AuthResultDto(
     string Token,
     UserDto User);
+
+public record ExternalLoginDto(
+    string Provider,
+    string ProviderUserId,
+    string Username,
+    string Email,
+    string? DisplayName = null,
+    string? AvatarUrl = null);

backend/src/Taskdeck.Application/Interfaces/IExternalLoginRepository.cs

@@ -0,0 +1,9 @@
+using Taskdeck.Domain.Entities;
+
+namespace Taskdeck.Application.Interfaces;
+
+public interface IExternalLoginRepository : IRepository<ExternalLogin>
+{
+    Task<ExternalLogin?> GetByProviderAsync(string provider, string providerUserId, CancellationToken cancellationToken = default);
+    Task<IEnumerable<ExternalLogin>> GetByUserIdAsync(Guid userId, CancellationToken cancellationToken = default);
+}

backend/src/Taskdeck.Application/Interfaces/IUnitOfWork.cs

@@ -26,6 +26,7 @@ public interface IUnitOfWork
     IAgentRunRepository AgentRuns { get; }
     IKnowledgeDocumentRepository KnowledgeDocuments { get; }
     IKnowledgeChunkRepository KnowledgeChunks { get; }
+    IExternalLoginRepository ExternalLogins { get; }
 
     Task<int> SaveChangesAsync(CancellationToken cancellationToken = default);
     Task BeginTransactionAsync(CancellationToken cancellationToken = default);