From f38ed0dbcd4f3a13bd3e7d6807a998a226515e20 Mon Sep 17 00:00:00 2001
From: Che <30403707+Che-Zhu@users.noreply.github.com>
Date: Fri, 6 Mar 2026 14:38:14 +0800
Subject: [PATCH] feat(auth): replace GitHub OAuth with GitHub App OAuth

- Create GitHub App OAuth provider for NextAuth
- Update auth.ts to use new provider with refresh token support
- Update repoService.ts to use getUserGitHubToken() for token management
- Add auto-trigger GitHub App installation after login
- Update settings-dialog.tsx to use GitHub App installation flow
- Remove deprecated GitHub OAuth API routes
- Update environment variables template

Breaking change: GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET replaced with GITHUB_APP_CLIENT_ID/GITHUB_APP_CLIENT_SECRET~
---
 .env.template                                 |  16 +-
 app/(auth)/login/page.tsx                     |   2 +-
 .../(list)/_components/home-page-content.tsx  |  77 +++++-
 app/api/auth/github/callback/route.ts         | 224 ------------------
 app/api/user/github/bind/route.ts             |  67 ------
 app/api/user/github/route.ts                  | 114 ---------
 components/dialog/settings-dialog.tsx         |  93 ++++----
 lib/actions/github.ts                         |  38 ---
 lib/auth.ts                                   | 113 +++++++--
 lib/services/repoService.ts                   |  41 +---
 10 files changed, 229 insertions(+), 556 deletions(-)
 delete mode 100644 app/api/auth/github/callback/route.ts
 delete mode 100644 app/api/user/github/bind/route.ts
 delete mode 100644 app/api/user/github/route.ts

diff --git a/.env.template b/.env.template
index 00b04a5..1f58795 100644
--- a/.env.template
+++ b/.env.template
@@ -5,9 +5,17 @@ NEXTAUTH_URL=""
 NEXTAUTH_SECRET=""
 AUTH_TRUST_HOST="true"
 
-# GitHub OAuth (replace with your actual values)
-GITHUB_CLIENT_ID=""
-GITHUB_CLIENT_SECRET=""
+# GitHub App Configuration (Required for GitHub login)
+GITHUB_APP_ID=""
+GITHUB_APP_PRIVATE_KEY=""
+GITHUB_APP_WEBHOOK_SECRET=""
+GITHUB_APP_CLIENT_ID=""
+GITHUB_APP_CLIENT_SECRET=""
+NEXT_PUBLIC_GITHUB_APP_NAME=""
+
+# GitHub OAuth (DEPRECATED - Use GitHub App instead)
+# GITHUB_CLIENT_ID=""
+# GITHUB_CLIENT_SECRET=""
 
 # Sealos OAuth
 SEALOS_JWT_SECRET=""
@@ -31,5 +39,5 @@ LOG_LEVEL="info"
 
 # login
 ENABLE_PASSWORD_AUTH=""
-ENABLE_PASSWORD_AUTH=""
+ENABLE_GITHUB_AUTH="true"
 ENABLE_SEALOS_AUTH=""
diff --git a/app/(auth)/login/page.tsx b/app/(auth)/login/page.tsx
index c060920..f4776c2 100644
--- a/app/(auth)/login/page.tsx
+++ b/app/(auth)/login/page.tsx
@@ -117,7 +117,7 @@ export default function LoginPage() {
           </div>
 
           <Button
-            onClick={() => signIn('github', { callbackUrl: '/projects' })}
+            onClick={() => signIn('github-app', { callbackUrl: '/projects?github_install=true' })}
             className="w-full bg-secondary text-secondary-foreground hover:bg-muted rounded-md"
             size="lg"
             variant="outline"
diff --git a/app/(dashboard)/projects/(list)/_components/home-page-content.tsx b/app/(dashboard)/projects/(list)/_components/home-page-content.tsx
index 54534cf..dedaa67 100644
--- a/app/(dashboard)/projects/(list)/_components/home-page-content.tsx
+++ b/app/(dashboard)/projects/(list)/_components/home-page-content.tsx
@@ -2,9 +2,12 @@
 
 import { useEffect, useState } from 'react'
 import { ProjectStatus } from '@prisma/client'
-import { useRouter } from 'next/navigation'
+import { useRouter, useSearchParams } from 'next/navigation'
+import { toast } from 'sonner'
 
+import { getInstallations } from '@/lib/actions/github'
 import type { ProjectWithRelations } from '@/lib/data/project'
+import { env } from '@/lib/env'
 
 import { PageHeaderWithFilter } from './page-header-with-filter'
 import { ProjectList } from './project-list'
@@ -17,7 +20,9 @@ interface HomePageContentProps {
 
 export function HomePageContent({ projects }: HomePageContentProps) {
   const router = useRouter()
+  const searchParams = useSearchParams()
   const [activeFilter, setActiveFilter] = useState<'ALL' | ProjectStatus>('ALL')
+  const [hasTriggeredInstall, setHasTriggeredInstall] = useState(false)
 
   useEffect(() => {
     const interval = setInterval(() => {
@@ -27,6 +32,76 @@ export function HomePageContent({ projects }: HomePageContentProps) {
     return () => clearInterval(interval)
   }, [router])
 
+  useEffect(() => {
+    if (hasTriggeredInstall) return
+
+    const shouldTriggerInstall = searchParams.get('github_install') === 'true'
+    if (!shouldTriggerInstall) return
+
+    const triggerGitHubAppInstall = async () => {
+      setHasTriggeredInstall(true)
+
+      try {
+        const result = await getInstallations()
+        if (result.success && result.data.length > 0) {
+          router.replace('/projects')
+          return
+        }
+
+        const appName = env.NEXT_PUBLIC_GITHUB_APP_NAME
+        if (!appName) {
+          toast.error('GitHub App is not configured')
+          router.replace('/projects')
+          return
+        }
+
+        const installUrl = `https://github.com/apps/${appName}/installations/new`
+
+        const width = 800
+        const height = 800
+        const left = window.screen.width / 2 - width / 2
+        const top = window.screen.height / 2 - height / 2
+
+        const popup = window.open(
+          installUrl,
+          'github-app-install',
+          `width=${width},height=${height},left=${left},top=${top},resizable=yes,scrollbars=yes`
+        )
+
+        if (!popup) {
+          toast.error('Failed to open popup window. Please allow popups for this site.')
+          router.replace('/projects')
+          return
+        }
+
+        const handleMessage = (event: MessageEvent) => {
+          if (event.origin !== window.location.origin) return
+          if (event.data.type !== 'github-app-installed') return
+
+          window.removeEventListener('message', handleMessage)
+          toast.success('GitHub App installed successfully!')
+          router.replace('/projects')
+          router.refresh()
+        }
+
+        window.addEventListener('message', handleMessage)
+
+        const checkClosed = setInterval(() => {
+          if (popup.closed) {
+            clearInterval(checkClosed)
+            window.removeEventListener('message', handleMessage)
+            router.replace('/projects')
+          }
+        }, 500)
+      } catch (error) {
+        console.error('Failed to trigger GitHub App install:', error)
+        router.replace('/projects')
+      }
+    }
+
+    triggerGitHubAppInstall()
+  }, [searchParams, hasTriggeredInstall, router])
+
   return (
     <>
       <PageHeaderWithFilter activeFilter={activeFilter} onFilterChange={setActiveFilter} />
diff --git a/app/api/auth/github/callback/route.ts b/app/api/auth/github/callback/route.ts
deleted file mode 100644
index 86c7215..0000000
--- a/app/api/auth/github/callback/route.ts
+++ /dev/null
@@ -1,224 +0,0 @@
-import { NextRequest, NextResponse } from 'next/server'
-
-import { prisma } from '@/lib/db'
-import { env } from '@/lib/env'
-import { logger as baseLogger } from '@/lib/logger'
-
-const logger = baseLogger.child({ module: 'api/auth/github/callback' })
-
-/**
- * GET /api/auth/github/callback
- * Handles the OAuth callback from GitHub for account binding
- *
- * @deprecated This endpoint is deprecated in favor of GitHub App OAuth flow.
- * Will be removed in v0.5.0. Use GitHub App installation flow instead.
- */
-export async function GET(request: NextRequest) {
-  logger.warn('DEPRECATED: /api/auth/github/callback called - use GitHub App OAuth flow instead')
-
-  try {
-    const searchParams = request.nextUrl.searchParams
-    const code = searchParams.get('code')
-    const state = searchParams.get('state')
-
-    if (!code || !state) {
-      return NextResponse.json({ error: 'Missing code or state parameter' }, { status: 400 })
-    }
-
-    // Verify state parameter
-    const stateCookie = request.cookies.get('github_oauth_state')?.value
-
-    if (!stateCookie || stateCookie !== state) {
-      logger.warn('State mismatch in GitHub OAuth callback')
-      return NextResponse.json({ error: 'Invalid state parameter' }, { status: 400 })
-    }
-
-    // Decode state to get userId
-    let userId: string
-    try {
-      const decodedState = Buffer.from(state, 'base64').toString('utf-8')
-      const [, extractedUserId, timestamp] = decodedState.split('|')
-
-      // Check if state is expired (10 minutes)
-      const stateAge = Date.now() - parseInt(timestamp, 10)
-      if (stateAge > 10 * 60 * 1000) {
-        return NextResponse.json({ error: 'State expired' }, { status: 400 })
-      }
-
-      userId = extractedUserId
-    } catch {
-      return NextResponse.json({ error: 'Invalid state format' }, { status: 400 })
-    }
-
-    // Exchange code for access token
-    const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        Accept: 'application/json',
-      },
-      body: JSON.stringify({
-        client_id: env.GITHUB_CLIENT_ID,
-        client_secret: env.GITHUB_CLIENT_SECRET,
-        code,
-      }),
-    })
-
-    const tokenData = await tokenResponse.json()
-
-    if (!tokenData.access_token) {
-      logger.error('Failed to get access token from GitHub')
-      return NextResponse.json({ error: 'Failed to get access token' }, { status: 500 })
-    }
-
-    const accessToken = tokenData.access_token
-    const scope = tokenData.scope || 'repo read:user'
-
-    // Get GitHub user info
-    const userResponse = await fetch('https://api.github.com/user', {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        Accept: 'application/vnd.github.v3+json',
-      },
-    })
-
-    const githubUser = await userResponse.json()
-
-    if (!githubUser.id) {
-      logger.error('Failed to get GitHub user info')
-      return NextResponse.json({ error: 'Failed to get user info' }, { status: 500 })
-    }
-
-    const githubUserId = githubUser.id.toString()
-    const githubLogin = githubUser.login
-    const githubAvatarUrl = githubUser.avatar_url
-
-    // Check if this GitHub account is already bound to another user
-    const existingIdentity = await prisma.userIdentity.findUnique({
-      where: {
-        unique_provider_user: {
-          provider: 'GITHUB',
-          providerUserId: githubUserId,
-        },
-      },
-    })
-
-    if (existingIdentity && existingIdentity.userId !== userId) {
-      logger.warn(`GitHub account ${githubLogin} is already bound to another user`)
-      return createCallbackPage(
-        false,
-        'This GitHub account is already bound to another user account.'
-      )
-    }
-
-    // Upsert GitHub identity
-    await prisma.userIdentity.upsert({
-      where: {
-        unique_provider_user: {
-          provider: 'GITHUB',
-          providerUserId: githubUserId,
-        },
-      },
-      update: {
-        metadata: {
-          token: accessToken,
-          scope,
-          login: githubLogin,
-          avatar_url: githubAvatarUrl,
-        },
-      },
-      create: {
-        userId,
-        provider: 'GITHUB',
-        providerUserId: githubUserId,
-        metadata: {
-          token: accessToken,
-          scope,
-          login: githubLogin,
-          avatar_url: githubAvatarUrl,
-        },
-        isPrimary: false, // This is a binding, not primary login
-      },
-    })
-
-    logger.info(`GitHub account ${githubLogin} bound successfully for user ${userId}`)
-
-    // Return success page that notifies parent window
-    return createCallbackPage(true, 'GitHub account connected successfully!')
-  } catch (error) {
-    logger.error(`Error in GitHub OAuth callback: ${error}`)
-    return createCallbackPage(false, 'An error occurred during GitHub authentication.')
-  }
-}
-
-/**
- * Create an HTML page that sends a message to the parent window (popup opener)
- * and closes itself
- */
-function createCallbackPage(success: boolean, message: string): NextResponse {
-  const html = `
-<!DOCTYPE html>
-<html>
-<head>
-  <meta charset="utf-8">
-  <title>GitHub Authentication</title>
-  <style>
-    body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      height: 100vh;
-      margin: 0;
-      background: ${success ? '#f0fdf4' : '#fef2f2'};
-    }
-    .container {
-      text-align: center;
-      padding: 2rem;
-    }
-    .icon {
-      font-size: 3rem;
-      margin-bottom: 1rem;
-    }
-    .message {
-      font-size: 1.125rem;
-      color: ${success ? '#166534' : '#991b1b'};
-      margin-bottom: 1rem;
-    }
-    .subtitle {
-      font-size: 0.875rem;
-      color: #6b7280;
-    }
-  </style>
-</head>
-<body>
-  <div class="container">
-    <div class="icon">${success ? '✅' : '❌'}</div>
-    <div class="message">${message}</div>
-    <div class="subtitle">This window will close automatically...</div>
-  </div>
-  <script>
-    // Notify parent window
-    if (window.opener) {
-      window.opener.postMessage(
-        { type: 'github-oauth-callback', success: ${success}, message: '${message}' },
-        window.location.origin
-      );
-    }
-    
-    // Close window after a short delay
-    setTimeout(() => {
-      window.close();
-    }, 1500);
-  </script>
-</body>
-</html>
-  `
-
-  return new NextResponse(html, {
-    status: 200,
-    headers: {
-      'Content-Type': 'text/html',
-    },
-  })
-}
diff --git a/app/api/user/github/bind/route.ts b/app/api/user/github/bind/route.ts
deleted file mode 100644
index 6ac4017..0000000
--- a/app/api/user/github/bind/route.ts
+++ /dev/null
@@ -1,67 +0,0 @@
-import { randomBytes } from 'crypto'
-import { NextResponse } from 'next/server'
-
-import { auth } from '@/lib/auth'
-import { env } from '@/lib/env'
-import { logger as baseLogger } from '@/lib/logger'
-
-const logger = baseLogger.child({ module: 'api/user/github/bind' })
-
-/**
- * GET /api/user/github/bind
- * Initiates the GitHub OAuth flow for binding
- * Redirects to GitHub authorization page with a secure state parameter
- *
- * @deprecated This endpoint is deprecated in favor of GitHub App OAuth flow.
- * Will be removed in v0.5.0. Use GitHub App installation flow instead.
- */
-export async function GET() {
-  logger.warn('DEPRECATED: /api/user/github/bind called - use GitHub App OAuth flow instead')
-
-  try {
-    const session = await auth()
-
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    if (!env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET) {
-      logger.error('GitHub OAuth is not configured')
-      return NextResponse.json({ error: 'GitHub OAuth is not configured' }, { status: 500 })
-    }
-
-    // Generate a secure random state parameter
-    const state = randomBytes(32).toString('hex')
-
-    // Store state in a cookie for verification in callback
-    // Format: state|userId|timestamp
-    const stateData = `${state}|${session.user.id}|${Date.now()}`
-    const encodedState = Buffer.from(stateData).toString('base64')
-
-    // Build GitHub OAuth URL
-    const githubAuthUrl = new URL('https://github.com/login/oauth/authorize')
-    githubAuthUrl.searchParams.set('client_id', env.GITHUB_CLIENT_ID)
-    githubAuthUrl.searchParams.set('redirect_uri', `${process.env.NEXTAUTH_URL}/api/auth/github/callback`)
-    githubAuthUrl.searchParams.set('scope', 'repo read:user')
-    githubAuthUrl.searchParams.set('state', encodedState)
-
-    logger.info(`GitHub OAuth bind initiated for user ${session.user.id}`)
-
-    // Create response with redirect
-    const response = NextResponse.redirect(githubAuthUrl.toString())
-
-    // Set state cookie (expires in 10 minutes)
-    response.cookies.set('github_oauth_state', encodedState, {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'lax',
-      maxAge: 600, // 10 minutes
-      path: '/',
-    })
-
-    return response
-  } catch (error) {
-    logger.error(`Error initiating GitHub OAuth bind: ${error}`)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
diff --git a/app/api/user/github/route.ts b/app/api/user/github/route.ts
deleted file mode 100644
index 8aae4ce..0000000
--- a/app/api/user/github/route.ts
+++ /dev/null
@@ -1,114 +0,0 @@
-import { NextResponse } from 'next/server'
-
-import { auth } from '@/lib/auth'
-import { prisma } from '@/lib/db'
-import { logger as baseLogger } from '@/lib/logger'
-
-const logger = baseLogger.child({ module: 'api/user/github' })
-
-/**
- * GET /api/user/github
- * Returns the GitHub binding status for the current user
- *
- * @deprecated This endpoint is deprecated in favor of GitHub App OAuth flow.
- * Will be removed in v0.5.0. Use GitHub App installation flow instead.
- */
-export async function GET() {
-  logger.warn('DEPRECATED: /api/user/github GET called - use GitHub App OAuth flow instead')
-
-  try {
-    const session = await auth()
-
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    // Find GitHub identity for this user
-    const githubIdentity = await prisma.userIdentity.findFirst({
-      where: {
-        userId: session.user.id,
-        provider: 'GITHUB',
-      },
-    })
-
-    if (!githubIdentity) {
-      return NextResponse.json({ connected: false })
-    }
-
-    // Extract GitHub info from metadata
-    const metadata = githubIdentity.metadata as {
-      login?: string
-      avatar_url?: string
-    }
-
-    return NextResponse.json({
-      connected: true,
-      login: metadata.login,
-      avatar_url: metadata.avatar_url,
-    })
-  } catch (error) {
-    logger.error(`Error fetching GitHub status: ${error}`)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
-
-/**
- * DELETE /api/user/github
- * Unbinds the GitHub account from the current user
- *
- * @deprecated This endpoint is deprecated in favor of GitHub App OAuth flow.
- * Will be removed in v0.5.0. Use GitHub App installation flow instead.
- */
-export async function DELETE() {
-  logger.warn('DEPRECATED: /api/user/github DELETE called - use GitHub App OAuth flow instead')
-
-  try {
-    const session = await auth()
-
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
-    // Find and delete GitHub identity
-    const githubIdentity = await prisma.userIdentity.findFirst({
-      where: {
-        userId: session.user.id,
-        provider: 'GITHUB',
-      },
-    })
-
-    if (!githubIdentity) {
-      return NextResponse.json({ error: 'No GitHub account connected' }, { status: 404 })
-    }
-
-    // Check if this is the primary (and only) identity
-    const identityCount = await prisma.userIdentity.count({
-      where: {
-        userId: session.user.id,
-      },
-    })
-
-    if (identityCount === 1 && githubIdentity.isPrimary) {
-      return NextResponse.json(
-        {
-          error: 'Cannot unbind the only login method. Please add another login method first.',
-        },
-        { status: 400 }
-      )
-    }
-
-    // Delete the GitHub identity
-    await prisma.userIdentity.delete({
-      where: {
-        id: githubIdentity.id,
-      },
-    })
-
-    logger.info(`GitHub account unbound for user ${session.user.id}`)
-
-    return NextResponse.json({ success: true })
-  } catch (error) {
-    logger.error(`Error unbinding GitHub account: ${error}`)
-    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
-  }
-}
diff --git a/components/dialog/settings-dialog.tsx b/components/dialog/settings-dialog.tsx
index 0928940..3416925 100644
--- a/components/dialog/settings-dialog.tsx
+++ b/components/dialog/settings-dialog.tsx
@@ -22,6 +22,8 @@ import { Input } from '@/components/ui/input';
 import { Label } from '@/components/ui/label';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@/components/ui/tabs';
 import { Textarea } from '@/components/ui/textarea';
+import { getInstallations, type GitHubInstallation } from '@/lib/actions/github';
+import { env } from '@/lib/env';
 import * as fetchClient from '@/lib/fetch-client';
 import { useSealos } from '@/provider/sealos';
 
@@ -61,12 +63,6 @@ const DEFAULT_SYSTEM_PROMPT = `You are an AI full-stack developer working in a N
 
 type TabType = 'system-prompt' | 'kubeconfig' | 'anthropic' | 'github';
 
-interface GitHubStatus {
-  connected: boolean;
-  login?: string;
-  avatar_url?: string;
-}
-
 export default function SettingsDialog({
   open,
   onOpenChange,
@@ -95,7 +91,7 @@ export default function SettingsDialog({
   const [isAnthropicInitialLoading, setIsAnthropicInitialLoading] = useState(true);
 
   // GitHub state
-  const [githubStatus, setGithubStatus] = useState<GitHubStatus>({ connected: false });
+  const [githubInstallation, setGithubInstallation] = useState<GitHubInstallation | null>(null);
   const [isGithubLoading, setIsGithubLoading] = useState(false);
   const [isGithubInitialLoading, setIsGithubInitialLoading] = useState(true);
 
@@ -176,11 +172,15 @@ export default function SettingsDialog({
 
   const loadGithubStatus = async () => {
     try {
-      const data = await fetchClient.GET<GitHubStatus>('/api/user/github');
-      setGithubStatus(data);
+      const result = await getInstallations();
+      if (result.success && result.data.length > 0) {
+        setGithubInstallation(result.data[0]);
+      } else {
+        setGithubInstallation(null);
+      }
     } catch (error) {
       console.error('Failed to load GitHub status:', error);
-      setGithubStatus({ connected: false });
+      setGithubInstallation(null);
     } finally {
       setIsGithubInitialLoading(false);
     }
@@ -280,17 +280,24 @@ export default function SettingsDialog({
   };
 
   const handleConnectGithub = () => {
+    const appName = env.NEXT_PUBLIC_GITHUB_APP_NAME;
+    if (!appName) {
+      toast.error('GitHub App is not configured');
+      return;
+    }
+
     setIsGithubLoading(true);
 
-    // Open popup window for GitHub OAuth
-    const width = 600;
-    const height = 700;
+    const installUrl = `https://github.com/apps/${appName}/installations/new`;
+
+    const width = 800;
+    const height = 800;
     const left = window.screen.width / 2 - width / 2;
     const top = window.screen.height / 2 - height / 2;
 
     const popup = window.open(
-      '/api/user/github/bind',
-      'github-oauth',
+      installUrl,
+      'github-app-install',
       `width=${width},height=${height},left=${left},top=${top},resizable=yes,scrollbars=yes`
     );
 
@@ -300,43 +307,35 @@ export default function SettingsDialog({
       return;
     }
 
-    // Listen for message from popup
     const handleMessage = (event: MessageEvent) => {
       if (event.origin !== window.location.origin) return;
-      if (event.data.type !== 'github-oauth-callback') return;
+      if (event.data.type !== 'github-app-installed') return;
 
+      window.removeEventListener('message', handleMessage);
       if (event.data.success) {
-        toast.success('GitHub account connected successfully!');
+        toast.success('GitHub App installed successfully!');
         loadGithubStatus();
       } else {
-        toast.error(event.data.message || 'Failed to connect GitHub account');
+        toast.error(event.data.message || 'Failed to install GitHub App');
       }
-
       setIsGithubLoading(false);
-      window.removeEventListener('message', handleMessage);
     };
 
     window.addEventListener('message', handleMessage);
 
-    // Fallback: stop loading after timeout
-    setTimeout(() => {
-      setIsGithubLoading(false);
-      window.removeEventListener('message', handleMessage);
-    }, 60000); // 1 minute timeout
+    const checkClosed = setInterval(() => {
+      if (popup.closed) {
+        clearInterval(checkClosed);
+        window.removeEventListener('message', handleMessage);
+        setIsGithubLoading(false);
+      }
+    }, 500);
   };
 
   const handleDisconnectGithub = async () => {
-    setIsGithubLoading(true);
-    try {
-      await fetchClient.DELETE('/api/user/github');
-      toast.success('GitHub account disconnected successfully');
-      setGithubStatus({ connected: false });
-    } catch (error: unknown) {
-      console.error('Failed to disconnect GitHub:', error);
-      toast.error(error instanceof Error ? error.message : 'Failed to disconnect GitHub account');
-    } finally {
-      setIsGithubLoading(false);
-    }
+    toast.info(
+      'To disconnect, please go to GitHub Settings > Applications and revoke access to the app.'
+    );
   };
 
   return (
@@ -601,7 +600,7 @@ export default function SettingsDialog({
               <TabsContent value="github" className="mt-0 h-full overflow-y-auto">
                 <div className="space-y-4 pb-4">
                   <div className="space-y-2">
-                    <Label className="text-foreground text-sm font-medium">GitHub Account</Label>
+                    <Label className="text-foreground text-sm font-medium">GitHub App</Label>
                     <p className="text-xs text-muted-foreground">
                       Connect your GitHub account to enable repository access and code management features.
                     </p>
@@ -611,13 +610,12 @@ export default function SettingsDialog({
                     <div className="flex items-center justify-center py-8">
                       <div className="text-muted-foreground">Loading...</div>
                     </div>
-                  ) : githubStatus.connected ? (
-                    // Connected state
+                  ) : githubInstallation ? (
                     <div className="space-y-4">
                       <div className="flex items-center gap-4 p-4 bg-green-500/10 border border-green-500/20 rounded-lg">
-                        {githubStatus.avatar_url && (
+                        {githubInstallation.accountAvatarUrl && (
                           <Image
-                            src={githubStatus.avatar_url}
+                            src={githubInstallation.accountAvatarUrl}
                             alt="GitHub Avatar"
                             width={48}
                             height={48}
@@ -627,12 +625,12 @@ export default function SettingsDialog({
                         <div className="flex-1">
                           <div className="flex items-center gap-2">
                             <span className="text-sm font-medium text-foreground">
-                              {githubStatus.login}
+                              {githubInstallation.accountLogin}
                             </span>
                             <span className="text-xs text-green-600 dark:text-green-500">● Connected</span>
                           </div>
                           <p className="text-xs text-muted-foreground mt-1">
-                            Your GitHub account is connected and ready to use.
+                            Your GitHub App is installed and ready to use.
                           </p>
                         </div>
                       </div>
@@ -643,15 +641,14 @@ export default function SettingsDialog({
                         disabled={isGithubLoading}
                         className="border-border text-muted-foreground hover:text-foreground hover:bg-accent"
                       >
-                        {isGithubLoading ? 'Disconnecting...' : 'Disconnect GitHub Account'}
+                        Disconnect GitHub App
                       </Button>
                     </div>
                   ) : (
-                    // Not connected state
                     <div className="space-y-4">
                       <div className="p-4 bg-muted/50 border border-border rounded-lg">
                         <p className="text-sm text-muted-foreground">
-                          No GitHub account connected. Connect your GitHub account to access repositories and enable version control features.
+                          No GitHub App installed. Connect your GitHub account to access repositories and enable version control features.
                         </p>
                       </div>
 
@@ -661,7 +658,7 @@ export default function SettingsDialog({
                         className="bg-primary hover:bg-primary/90 text-primary-foreground"
                       >
                         <FaGithub className="mr-2 h-4 w-4" />
-                        {isGithubLoading ? 'Connecting...' : 'Connect GitHub Account'}
+                        {isGithubLoading ? 'Connecting...' : 'Connect GitHub App'}
                       </Button>
                     </div>
                   )}
diff --git a/lib/actions/github.ts b/lib/actions/github.ts
index b6c0dea..54bb659 100644
--- a/lib/actions/github.ts
+++ b/lib/actions/github.ts
@@ -3,7 +3,6 @@
 import type { GitHubAppInstallation } from '@prisma/client'
 
 import { auth } from '@/lib/auth'
-import { prisma } from '@/lib/db'
 import { logger as baseLogger } from '@/lib/logger'
 import { getInstallationByGitHubId, getInstallationsForUser } from '@/lib/repo/github'
 import { listInstallationRepos } from '@/lib/services/github-app'
@@ -33,43 +32,6 @@ export interface GitHubRepo {
   html_url: string
 }
 
-/**
- * @deprecated Use GitHub App OAuth flow instead
- * Check if user has GitHub identity linked
- * Will be removed in v0.5.0
- */
-export async function checkGitHubIdentity(): Promise<
-  ActionResult<{ linked: boolean; githubId?: string; githubLogin?: string }>
-> {
-  logger.warn('checkGitHubIdentity() is deprecated - use GitHub App OAuth flow')
-
-  const session = await auth()
-
-  if (!session?.user?.id) {
-    return { success: false, error: 'Unauthorized' }
-  }
-
-  const githubIdentity = await prisma.userIdentity.findFirst({
-    where: {
-      userId: session.user.id,
-      provider: 'GITHUB',
-    },
-  })
-
-  if (!githubIdentity) {
-    return { success: true, data: { linked: false } }
-  }
-
-  return {
-    success: true,
-    data: {
-      linked: true,
-      githubId: githubIdentity.providerUserId,
-      githubLogin: (githubIdentity.metadata as Record<string, string>)?.login,
-    },
-  }
-}
-
 export async function getInstallations(): Promise<ActionResult<GitHubInstallation[]>> {
   const session = await auth()
 
diff --git a/lib/auth.ts b/lib/auth.ts
index 35d0e7d..78c50ce 100644
--- a/lib/auth.ts
+++ b/lib/auth.ts
@@ -1,7 +1,7 @@
 import bcrypt from 'bcryptjs'
 import NextAuth from 'next-auth'
+import type { OAuthConfig, OAuthUserConfig } from 'next-auth/providers'
 import Credentials from 'next-auth/providers/credentials'
-import GitHub from 'next-auth/providers/github'
 
 import { prisma } from '@/lib/db'
 import { env } from '@/lib/env'
@@ -12,6 +12,58 @@ import { createAiproxyToken } from '@/lib/services/aiproxy'
 
 const logger = baseLogger.child({ module: 'lib/auth' })
 
+interface GitHubAppProfile {
+  id: number
+  login: string
+  name: string | null
+  email: string | null
+  avatar_url: string
+}
+
+function GitHubApp<P extends GitHubAppProfile>(options: OAuthUserConfig<P>): OAuthConfig<P> {
+  return {
+    id: 'github-app',
+    name: 'GitHub',
+    type: 'oauth',
+    clientId: options.clientId,
+    clientSecret: options.clientSecret,
+    authorization: {
+      url: 'https://github.com/login/oauth/authorize',
+      params: {
+        scope: 'repo read:user user:email',
+      },
+    },
+    token: 'https://github.com/login/oauth/access_token',
+    userinfo: {
+      url: 'https://api.github.com/user',
+      async request({ tokens }: { tokens: { access_token: string } }) {
+        const res = await fetch('https://api.github.com/user', {
+          headers: {
+            Authorization: `Bearer ${tokens.access_token}`,
+            'User-Agent': 'next-auth',
+          },
+        })
+        if (!res.ok) {
+          throw new Error(`Failed to fetch user info: ${res.status}`)
+        }
+        return await res.json()
+      },
+    },
+    profile(profile) {
+      return {
+        id: profile.id.toString(),
+        name: profile.name || profile.login,
+        email: profile.email,
+        image: profile.avatar_url,
+      }
+    },
+    style: {
+      brandColor: '#24292F',
+      logo: '/github.svg',
+    },
+  }
+}
+
 // Build providers array dynamically based on feature flags
 const buildProviders = () => {
   const providers = []
@@ -359,23 +411,18 @@ const buildProviders = () => {
     logger.info('Sealos authentication is DISABLED')
   }
 
-  // GitHub OAuth
+  // GitHub App OAuth (replaces legacy GitHub OAuth)
   if (env.ENABLE_GITHUB_AUTH) {
     logger.info('GitHub authentication is ENABLED')
-    if (!env.GITHUB_CLIENT_ID || !env.GITHUB_CLIENT_SECRET) {
+    if (!env.GITHUB_APP_CLIENT_ID || !env.GITHUB_APP_CLIENT_SECRET) {
       logger.warn(
-        'GitHub authentication is enabled but GITHUB_CLIENT_ID or GITHUB_CLIENT_SECRET is missing'
+        'GitHub authentication is enabled but GITHUB_APP_CLIENT_ID or GITHUB_APP_CLIENT_SECRET is missing'
       )
     } else {
       providers.push(
-        GitHub({
-          clientId: env.GITHUB_CLIENT_ID,
-          clientSecret: env.GITHUB_CLIENT_SECRET,
-          authorization: {
-            params: {
-              scope: 'repo read:user',
-            },
-          },
+        GitHubApp({
+          clientId: env.GITHUB_APP_CLIENT_ID,
+          clientSecret: env.GITHUB_APP_CLIENT_SECRET,
         })
       )
     }
@@ -394,13 +441,18 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
   providers: buildProviders(),
   callbacks: {
     async signIn({ user, account, profile }) {
-      if (account?.provider === 'github') {
+      if (account?.provider === 'github-app') {
         try {
           const githubId = account.providerAccountId
-          const githubToken = account.access_token
-          const scope = account.scope || 'repo read:user'
+          const accessToken = account.access_token
+          const refreshToken = account.refresh_token
+          const expiresAt = account.expires_at
+            ? new Date(account.expires_at * 1000).toISOString()
+            : new Date(Date.now() + 8 * 60 * 60 * 1000).toISOString()
+          const scope = account.scope || 'repo read:user user:email'
+
+          const githubProfile = profile as { login?: string; name?: string; avatar_url?: string; email?: string }
 
-          // Check if identity exists
           const existingIdentity = await prisma.userIdentity.findUnique({
             where: {
               unique_provider_user: {
@@ -414,27 +466,32 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
           })
 
           if (existingIdentity) {
-            // Update GitHub token in metadata
             await prisma.userIdentity.update({
               where: { id: existingIdentity.id },
               data: {
                 metadata: {
-                  token: githubToken,
+                  accessToken,
+                  refreshToken,
+                  expiresAt,
+                  tokenType: 'bearer',
                   scope,
+                  login: githubProfile.login,
+                  name: githubProfile.name,
+                  avatarUrl: githubProfile.avatar_url,
+                  email: githubProfile.email,
+                  githubId: parseInt(githubId, 10),
                 },
               },
             })
 
-            // Set user info for JWT callback
             user.id = existingIdentity.user.id
             user.name = existingIdentity.user.name
           } else {
-            // Create new user with GitHub identity
             const newUser = await prisma.user.create({
               data: {
                 name:
-                  (profile?.name as string) ||
-                  (profile?.login as string) ||
+                  githubProfile.name ||
+                  githubProfile.login ||
                   user.name ||
                   'GitHub User',
                 identities: {
@@ -442,8 +499,16 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
                     provider: 'GITHUB',
                     providerUserId: githubId,
                     metadata: {
-                      token: githubToken,
+                      accessToken,
+                      refreshToken,
+                      expiresAt,
+                      tokenType: 'bearer',
                       scope,
+                      login: githubProfile.login,
+                      name: githubProfile.name,
+                      avatarUrl: githubProfile.avatar_url,
+                      email: githubProfile.email,
+                      githubId: parseInt(githubId, 10),
                     },
                     isPrimary: true,
                   },
@@ -455,7 +520,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
             user.name = newUser.name
           }
         } catch (error) {
-          logger.error(`Error in GitHub signIn callback: ${error}`)
+          logger.error(`Error in GitHub App signIn callback: ${error}`)
           return false
         }
       }
diff --git a/lib/services/repoService.ts b/lib/services/repoService.ts
index 2485be3..ab430d5 100644
--- a/lib/services/repoService.ts
+++ b/lib/services/repoService.ts
@@ -2,6 +2,7 @@
 
 import { auth } from '@/lib/auth'
 import { prisma } from '@/lib/db'
+import { getUserGitHubToken } from '@/lib/services/github-token-refresh'
 import { execCommand, TtydExecError } from '@/lib/util/ttyd-exec'
 
 export type RepoInitResult = {
@@ -136,26 +137,12 @@ export async function createGithubRepo(repoName: string): Promise<CreateRepoResu
   }
 
   try {
-    // Find UserIdentity for GitHub to get the token
-    const identity = await prisma.userIdentity.findFirst({
-      where: {
-        userId: session.user.id,
-        provider: 'GITHUB',
-      },
-    })
-
-    if (!identity) {
-      return { success: false, message: 'GitHub identity not found. Please link your GitHub account.', code: 'GITHUB_NOT_BOUND' }
-    }
-
-    const metadata = identity.metadata as { token?: string }
-    const token = metadata?.token
+    const token = await getUserGitHubToken(session.user.id)
 
     if (!token) {
-      return { success: false, message: 'GitHub token not found in identity metadata.', code: 'GITHUB_NOT_BOUND' }
+      return { success: false, message: 'GitHub identity not found. Please link your GitHub account.', code: 'GITHUB_NOT_BOUND' }
     }
 
-    // Call GitHub API to create repository
     const response = await fetch('https://api.github.com/user/repos', {
       method: 'POST',
       headers: {
@@ -165,9 +152,9 @@ export async function createGithubRepo(repoName: string): Promise<CreateRepoResu
       },
       body: JSON.stringify({
         name: repoName,
-        private: true, // Default to private
+        private: true,
         description: 'Created by Fulling, Powered by Sealos',
-        auto_init: false, // Don't create README/LICENSE, we'll push existing code
+        auto_init: false,
       }),
     })
 
@@ -249,35 +236,19 @@ export async function pushToGithub(projectId: string): Promise<RepoInitResult> {
   try {
     const { baseUrl, accessToken, authorization, project } = await getTtydContext(projectId, session.user.id)
 
-    // Use new fields with fallback to legacy field
     const repoFullName = project.githubRepoFullName || project.githubRepo
     if (!repoFullName) {
       return { success: false, message: 'No GitHub repository linked to this project' }
     }
 
-    // Get GitHub token
-    const identity = await prisma.userIdentity.findFirst({
-      where: {
-        userId: session.user.id,
-        provider: 'GITHUB',
-      },
-    })
-    
-    // Type checking for metadata token
-    const metadata = identity?.metadata as { token?: string } | undefined
-    const githubToken = metadata?.token
+    const githubToken = await getUserGitHubToken(session.user.id)
 
     if (!githubToken) {
       return { success: false, message: 'GitHub token not found', code: 'GITHUB_NOT_BOUND' }
     }
 
-    // Construct repo URL from full name (owner/repo format)
-    // We want to construct: https://oauth2:token@github.com/owner/repo.git
     const authUrl = `https://oauth2:${githubToken}@github.com/${repoFullName}.git`
 
-    // Configure remote and push
-    // We use 'git remote set-url' if origin exists, or 'git remote add' if it doesn't
-    // SECURITY: Use single quotes around URL to prevent command injection
     const command = `
       (git remote get-url origin > /dev/null 2>&1 && git remote set-url origin '${authUrl}') || git remote add origin '${authUrl}' &&
       git branch -M main &&