fix: move CODEOWNERS team membership check server-side (#173)#174
Open
mvvmm wants to merge 1 commit into
Open
Conversation
github.token has no read:org scope, so calls to
GET /orgs/{org}/teams/{team}/memberships/{actor} return 404 (not 403).
This was silently treated as 'not a member', causing team entries in
CODEOWNERS to always fail while individual user entries worked.
Move team membership verification into handleExchangeToken on the server:
- New checkTeamMembership() generates an unscoped installation token
(org-level access) to call the membership API successfully
- Cross-org team patterns are rejected before any API call (security)
- orchestrate.ts checkCodeowners() returns team patterns instead of
checking them client-side with github.token
- Team patterns are forwarded in the OIDC exchange request body as
codeowners_teams + actor; server denies the token if actor is not
a member of any listed team
Requires the bonk GitHub App to have Organization members: Read
permission configured.
Fixes Cloudflare-Studio#173
Contributor
Author
|
/bonk please review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #173.
github.tokenlacksread:orgscope, so team membership checks incheckCodeownersalways got 404 — silently treated as "not a member". Individual user entries worked fine because they're matched locally without any API call.Fix: move team membership checks server-side into
handleExchangeToken. When the actor isn't individually listed,orchestrate.tsforwards the team patterns to the OIDC exchange endpoint. The server generates an unscoped installation token (org-level access) to verify membership, then issues the normal scoped repo token if the actor qualifies.Note: requires the bonk GitHub App to have Organization members: Read permission. Without it, the check fails closed (denies the token).