Skip to content

feat: bring-your-own-token (BYOT) support for GitHub PAT (closes #5 partial)#16

Open
Ys876 wants to merge 1 commit into
403errors:mainfrom
Ys876:feat/byot-github-token
Open

feat: bring-your-own-token (BYOT) support for GitHub PAT (closes #5 partial)#16
Ys876 wants to merge 1 commit into
403errors:mainfrom
Ys876:feat/byot-github-token

Conversation

@Ys876

@Ys876 Ys876 commented Jun 24, 2026

Copy link
Copy Markdown

Closes #5 (partial, implements the "Bring Your Own Token" flow; OAuth login left for a separate PR)

What this adds

Users can now paste a GitHub Personal Access Token (PAT) directly in the header to:

  • Remove rate limits when analyzing public repositories
  • Access private repositories without OAuth (using a PAT with repo scope)

Changes

New files

  • src/lib/use-github-token.tsuseGitHubToken hook that reads/writes the PAT in localStorage. Token is never logged or sent to analytics.
  • src/components/GitHubTokenModal.tsx — modal UI for entering, verifying, and clearing the PAT

Modified files

  • src/components/AuthButton.tsx — adds a token indicator button ("Add token" / "Your token") that opens the modal. Works for both signed-in and anonymous users.

Security guarantees

  • Token stored only in localStorage — no server persistence, no analytics
  • Input is type="password" by default, with a show/hide toggle
  • Token is validated by calling /user on the GitHub API directly from the browser before being saved — never touches the server
  • Token is never sent to any RepoMind endpoint

Testing

  • Open the app → "Add token" button visible in header
  • Click → modal opens, paste a valid PAT → click "Verify token"
  • If valid: shows authenticated username, "Save and use this token" activates
  • If invalid: red error message shown
  • After save: header shows green "Your token" indicator
  • Refreshing: token persists from localStorage
  • Clicking "Remove" clears localStorage and resets indicator

What's left from #5

  • OAuth GitHub login (web flow) with minimal scopes — separate PR
  • Passing user token through server-side API route calls

The BYOT flow is self-contained and ships immediate value to users hitting rate limits.

@vercel

vercel Bot commented Jun 24, 2026

Copy link
Copy Markdown

@Ys876 is attempting to deploy a commit to the repomindagent-7990's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Private repo access via OAuth + “bring your own GitHub token” flow

1 participant