Added GitHub OAuth identity verification flow

[SergeyG-Solicy]

User description

Implemented OAuth-based GitHub identity linking to replace gist-based proofs:

• Added exchangeGitHubCode() function for OAuth token exchange
• Added exchangeGitHubOAuthCode nodeCall endpoint in manageNodeCall.ts
• Supporting OAuth proof format (oauth:github:userId) in verifyWeb2Proof
• Removed the old GithubProofParser class and gist-based verification
• Removed @octokit/core dependency (no longer needed)

The new flow:

1. Frontend redirects the user to GitHub OAuth authorization
2. GitHub redirects back with an authorization code
3. Node exchanges code for an access token via GitHub API
4. Node fetches user info and returns userId/username
5. Wallet-extension creates an identity transaction with an OAuth proof

Requires GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET in .env

---

PR Type

Enhancement

---

Description

• Replaced gist-based GitHub proof verification with OAuth flow

• Added exchangeGitHubCode() function for token exchange

• Added exchangeGitHubOAuthCode endpoint in manageNodeCall

• Removed GithubProofParser class and @octokit/core dependency

• Updated verifyWeb2Proof to handle oauth:provider:userId format

---

Diagram Walkthrough

flowchart LR
  A["Frontend"] -->|"Redirect to GitHub"| B["GitHub OAuth"]
  B -->|"Authorization code"| C["Node exchangeGitHubOAuthCode"]
  C -->|"Exchange code"| D["GitHub API"]
  D -->|"Access token"| C
  C -->|"Fetch user info"| D
  D -->|"User ID/username"| C
  C -->|"oauth:github:userId proof"| E["verifyWeb2Proof"]
  E -->|"Validate proof"| F["Identity Transaction"]

Loading

File Walkthrough

	Relevant files
Refactoring	index.ts Clean up imports and remove GitHub parser                                src/libs/abstraction/index.ts Removed GithubProofParser import and related dependencies Removed unused imports (GenesisBlock, TelegramAttestationPayload, toInteger, Chain, fs) Simplified TelegramSignedAttestation import Fixed code formatting in verifyTelegramProof function +37/-17  parsers.ts Remove GitHub gist URL formats                                                      src/libs/abstraction/web2/parsers.ts Removed GitHub gist URL formats from Web2ProofParser formats object Kept twitter and discord format definitions intact +0/-5
Bug fix	github.ts Remove gist-based GitHub proof parser                                        src/libs/abstraction/web2/github.ts Completely removed GithubProofParser class (98 lines deleted) Removed gist-based verification logic including parseGistDetails, readData methods Removed Octokit and axios dependencies for gist fetching +0/-98
Enhancement	github.ts Add GitHub OAuth token exchange implementation                      src/libs/identity/oauth/github.ts New file implementing OAuth-based GitHub identity verification Added exchangeGitHubCode() function to exchange authorization code for access token Fetches GitHub user info (ID, login) using access token Returns GitHubOAuthResult with userId and username on success Includes comprehensive error handling and logging +108/-0  manageNodeCall.ts Add exchangeGitHubOAuthCode endpoint handler                          src/libs/network/manageNodeCall.ts Added import for exchangeGitHubCode function Added new exchangeGitHubOAuthCode case handler in manageNodeCall Validates authorization code parameter and returns appropriate error responses Calls exchangeGitHubCode and returns OAuth result with 200/400 status codes +18/-0    index.ts Add OAuth proof verification logic                                              src/libs/abstraction/index.ts Updated verifyWeb2Proof function to handle OAuth-based proofs Added oauth: prefix detection and parsing logic (format: oauth:provider:userId) Validates OAuth provider matches payload context Validates OAuth userId matches payload userId Removed github case from switch statement (now handled by OAuth logic) Returns success for pre-verified OAuth proofs +37/-17
Configuration changes	.env.example Add GitHub OAuth configuration variables                                  .env.example Added GITHUB_CLIENT_ID environment variable Added GITHUB_CLIENT_SECRET environment variable Added blank line for better organization +3/-0
Dependencies	package.json Remove @octokit/core dependency                                                    package.json Removed @octokit/core dependency (version ^6.1.5) No new dependencies added +0/-1

---

Summary by CodeRabbit

• New Features

  • Added OAuth-based GitHub sign-in and attestation exchange; new env vars GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET.

• Refactor

  • GitHub proof verification migrated to OAuth-attestation flow; legacy gist-based proof parsing removed.
  • Proof formats now exclude GitHub; Twitter and Discord remain supported.

• Chores

  • Removed GitHub API client dependency from project dependencies.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Migrates GitHub proof verification from gist-based parsing to an OAuth-based flow: removes the GithubProofParser and @octokit/core dependency, adds GITHUB_CLIENT_ID/SECRET to env example, implements GitHub OAuth exchange and attestation signing/verification, and wires an exchange endpoint into node call handling.

Changes

Cohort / File(s)	Summary
Configuration & Dependencies \.env.example, package.json	Added GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET to .env.example; removed dependency @octokit/core from package.json.
OAuth Implementation src/libs/identity/oauth/github.ts	New module: exchanges GitHub code for token, fetches user, creates & signs GitHubOAuthAttestation, and verifies signed attestations. Exports exchangeGitHubCode and verifyGitHubOAuthAttestation plus related interfaces.
Web2 Proof Abstraction — removed parser src/libs/abstraction/web2/github.ts	Entire GithubProofParser (gist-based read/parse/login logic) removed.
Proof Format Registry src/libs/abstraction/web2/parsers.ts	Removed github entry from Web2ProofParser.formats; supported formats now exclude GitHub gist/raw providers.
Core Proof Verification src/libs/abstraction/index.ts	Replaced gist-parsing path with OAuth-based GitHub proof handling: validates SignedGitHubOAuthAttestation, checks provider/user/timestamp/signature, and enforces signing-node authorization/bot checks.
Network Handler src/libs/network/manageNodeCall.ts	Added exchangeGitHubOAuthCode case that validates incoming code, calls exchangeGitHubCode, and returns the OAuth result.

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant Backend
    participant "GitHub API" as GitHub

    Client->>Backend: POST /exchangeGitHubOAuthCode { code }
    activate Backend
    Backend->>Backend: validate env vars (CLIENT_ID/SECRET)
    rect rgb(200,220,255)
      Note over Backend,GitHub: Token exchange
      Backend->>GitHub: POST /login/oauth/access_token (code)
      GitHub-->>Backend: { access_token }
    end
    rect rgb(220,255,220)
      Note over Backend,GitHub: User fetch & attestation
      Backend->>GitHub: GET /user (with token)
      GitHub-->>Backend: { id, login, ... }
      Backend->>Backend: create + sign GitHubOAuthAttestation
    end
    deactivate Backend
    Backend-->>Client: { success: true, userId, username, signedAttestation } | { success: false, error }

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Review effort 2/5

Poem

🐰 Hops and keys beneath the moonlit log,

Gists gave way to OAuth through the fog,
Tokens fetched and signatures so neat,
A rabbit cheers — secure, swift, and sweet! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Added GitHub OAuth identity verification flow' directly and accurately describes the main objective of the pull request—replacing gist-based GitHub proof verification with an OAuth-based flow and adding OAuth identity verification capabilities.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/github-discord-oauth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tcsenpai]

Your trial has ended! 😢

To keep getting reviews, activate your plan here.

Got questions about plans or want to see if we can extend your trial? Talk to our founders here.😎

[qodo-code-review]

ⓘ Your approaching your monthly quota for Qodo. Upgrade your plan

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	OAuth proof forgery Description: The new OAuth proof handling accepts any client-supplied string proof of the form oauth:provider:userId and returns success solely by matching provider to payload.context and oauthUserId to payload.userId, enabling an authentication/identity-verification bypass where an attacker can self-assert a GitHub (or other provider) identity without performing an actual OAuth exchange. index.ts [173-204] Referred Code // Handle OAuth-based proofs (format: "oauth:provider:userId") const proofString = payload.proof as string if (typeof proofString === "string" && proofString.startsWith("oauth:")) { const [, provider, oauthUserId] = proofString.split(":") // Verify OAuth proof matches the expected provider and userId if (provider !== payload.context) { return { success: false, message: `OAuth provider mismatch: expected ${payload.context}, got ${provider}`, } } if (oauthUserId !== payload.userId) { return { success: false, message: `OAuth userId mismatch: expected ${payload.userId}, got ${oauthUserId}`, } } // OAuth proofs are pre-verified during token exchange via the node's ... (clipped 11 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unvalidated proof format: The new OAuth proof parsing assumes oauth:provider:userId and destructures proofString.split(":") without validating segment count, allowing provider/oauthUserId to be undefined and causing incorrect behavior. Referred Code // Handle OAuth-based proofs (format: "oauth:provider:userId") const proofString = payload.proof as string if (typeof proofString === "string" && proofString.startsWith("oauth:")) { const [, provider, oauthUserId] = proofString.split(":") // Verify OAuth proof matches the expected provider and userId if (provider !== payload.context) { return { success: false, message: `OAuth provider mismatch: expected ${payload.context}, got ${provider}`, } } if (oauthUserId !== payload.userId) { return { success: false, message: `OAuth userId mismatch: expected ${payload.userId}, got ${oauthUserId}`, } } // OAuth proofs are pre-verified during token exchange via the node's ... (clipped 11 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Error details exposed: The returned failure message includes ${error.toString()} which can expose internal error details to callers instead of keeping detailed errors in internal logs. Referred Code } catch (error: any) { return { success: false, message: `Failed to verify ${payload.context } proof: ${error.toString()}`, } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: PII in logs: The new OAuth flow logs GitHub login and numeric id, which are user identifiers and may be considered sensitive/PII in logs. Referred Code log.info(`[GitHub OAuth] Successfully authenticated user: ${userData.login} (ID: ${userData.id})`) Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit log: The new exchangeGitHubOAuthCode node action performs a security-sensitive identity step but does not add an audit log including requester identity, timestamp (implicit), action, and outcome. Referred Code case "exchangeGitHubOAuthCode": { if (!data.code) { response.result = 400 response.response = { success: false, error: "No authorization code provided", } break } const oauthResult = await exchangeGitHubCode(data.code) response.result = oauthResult.success ? 200 : 400 response.response = oauthResult break } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Weak input validation: The new exchangeGitHubOAuthCode handler only checks data.code presence and does not validate type/length/format, and it is unclear from the diff whether this nodeCall is authenticated/authorized. Referred Code case "exchangeGitHubOAuthCode": { if (!data.code) { response.result = 400 response.response = { success: false, error: "No authorization code provided", } break } const oauthResult = await exchangeGitHubCode(data.code) response.result = oauthResult.success ? 200 : 400 response.response = oauthResult break Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

ⓘ Your approaching your monthly quota for Qodo. Upgrade your plan

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	The OAuth proof is insecure The current OAuth proof is a simple, forgeable string ("oauth:github:userId"), making it vulnerable to identity spoofing. To fix this, the node should cryptographically sign an attestation linking the GitHub ID to the user's blockchain identity after the OAuth exchange, and this signed attestation should be used as the unforgeable proof. Examples: src/libs/abstraction/index.ts [173-204] // Handle OAuth-based proofs (format: "oauth:provider:userId") const proofString = payload.proof as string if (typeof proofString === "string" && proofString.startsWith("oauth:")) { const [, provider, oauthUserId] = proofString.split(":") // Verify OAuth proof matches the expected provider and userId if (provider !== payload.context) { return { success: false, message: `OAuth provider mismatch: expected ${payload.context}, got ${provider}`, ... (clipped 22 lines) Solution Walkthrough: Before: // In verifyWeb2Proof function export async function verifyWeb2Proof(payload) { const proofString = payload.proof as string; if (proofString.startsWith("oauth:")) { const [, provider, oauthUserId] = proofString.split(":"); // This check is insufficient because anyone can create a string // like "oauth:github:some_user_id" for any user. if (provider === payload.context && oauthUserId === payload.userId) { // The proof is considered valid based on a simple, forgeable string. return { success: true }; } else { return { success: false }; } } // ... } After: // 1. Node endpoint that performs OAuth exchange async function exchangeGitHubOAuthCode(code, userBlockchainAddress) { // ... perform OAuth exchange to get githubUserId const attestation = { blockchainAddress: userBlockchainAddress, githubUserId: githubUserId, timestamp: Date.now() }; // The node signs the attestation with its private key const signature = sign(attestation, nodePrivateKey); // Return the signed attestation to the user's wallet return { attestation, signature }; } // 2. In verifyWeb2Proof function export async function verifyWeb2Proof(payload) { const { attestation, signature } = payload.proof; // Verify the signature was made by a trusted node using its public key if (verify(attestation, signature, nodePublicKey)) { // Further checks: attestation matches payload, etc. return { success: true }; } return { success: false, message: "Invalid proof signature" }; } Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability where the simple string-based OAuth proof can be forged, allowing anyone to spoof any GitHub identity, which completely undermines the feature.	High
Security	Add timeout to external API call Add a timeout to the fetch call made to the GitHub API for exchanging an OAuth code. This prevents the request from hanging indefinitely and improves service reliability. src/libs/identity/oauth/github.ts [44-55] +const controller = new AbortController() +const timeoutId = setTimeout(() => controller.abort(), 10000) // 10-second timeout + const tokenResponse = await fetch("https://github.com/login/oauth/access_token", { method: "POST", headers: { "Content-Type": "application/json", "Accept": "application/json", }, body: JSON.stringify({ client_id: clientId, client_secret: clientSecret, code: code, }), + signal: controller.signal, }) +clearTimeout(timeoutId) Apply / Chat Suggestion importance[1-10]: 8 __ Why: This is a valuable suggestion that addresses a potential reliability and security issue. An external API call without a timeout can lead to resource exhaustion if the remote service is unresponsive. Implementing a timeout with an AbortController is a best practice.	Medium
Possible issue	Add robust validation for proof string Validate that the proofString for OAuth proofs has the correct format ('oauth:provider:userId') by checking if splitting it by ':' results in exactly three parts before using the values. src/libs/abstraction/index.ts [176] -const [, provider, oauthUserId] = proofString.split(":") +const proofParts = proofString.split(":") +if (proofParts.length !== 3) { + return { + success: false, + message: "Invalid OAuth proof format. Expected 'oauth:provider:userId'.", + } +} +const [, provider, oauthUserId] = proofParts Apply / Chat Suggestion importance[1-10]: 6 __ Why: This suggestion correctly identifies that destructuring proofString.split(":") without checking the number of parts is not robust and could lead to oauthUserId being undefined, potentially bypassing validation. Adding a length check improves the code's resilience to malformed input.	Low
Update

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

src/libs/identity/oauth/github.ts (1)

92-99: Add response structure validation.

The code accesses userData.id and userData.login without verifying these fields exist in the response. While GitHub's API is reliable, defensive programming suggests validating the response structure.

🔎 Suggested validation before accessing properties

     const userData: GitHubUser = await userResponse.json()
+    
+    // Validate required fields
+    if (!userData.id || !userData.login) {
+        log.error("[GitHub OAuth] Invalid user data received from GitHub")
+        return {
+            success: false,
+            error: "Invalid user data received from GitHub",
+        }
+    }

     log.info(`[GitHub OAuth] Successfully authenticated user: ${userData.login} (ID: ${userData.id})`)

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fa3d71f and efdb692.

📒 Files selected for processing (7)

• .env.example
• package.json
• src/libs/abstraction/index.ts
• src/libs/abstraction/web2/github.ts
• src/libs/abstraction/web2/parsers.ts
• src/libs/identity/oauth/github.ts
• src/libs/network/manageNodeCall.ts

💤 Files with no reviewable changes (3)

• src/libs/abstraction/web2/parsers.ts
• src/libs/abstraction/web2/github.ts
• package.json

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-10T12:30:35.789Z

Learnt from: tcsenpai
Repo: kynesyslabs/node PR: 475
File: src/features/incentive/PointSystem.ts:711-727
Timestamp: 2025-10-10T12:30:35.789Z
Learning: In the TelegramSignedAttestation from kynesyslabs/demosdk (v2.4.18+), the `group_membership` field in the payload is a boolean, not an object. Check it as: `attestation?.payload?.group_membership === true`

Applied to files:

• src/libs/abstraction/index.ts

🧬 Code graph analysis (2)

src/libs/identity/oauth/github.ts (2)

src/utilities/tui/CategorizedLogger.ts (1)

• log (340-371)

src/libs/peer/Peer.ts (1)

• fetch (329-341)

src/libs/network/manageNodeCall.ts (1)

src/libs/identity/oauth/github.ts (1)

• exchangeGitHubCode (29-108)

🔇 Additional comments (5)

.env.example (1)

10-11: LGTM! Environment variables properly added for GitHub OAuth.

The addition of GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET is necessary for the new OAuth flow and follows the existing configuration pattern.

src/libs/network/manageNodeCall.ts (1)

28-28: LGTM! OAuth integration properly imported.

The import of exchangeGitHubCode integrates the new OAuth functionality into the node call handler.

src/libs/abstraction/index.ts (1)

28-34: LGTM! Bot authorization check properly implemented.

The checkBotAuthorization function correctly verifies bot addresses against genesis identities, ensuring only authorized bots can sign attestations.

src/libs/identity/oauth/github.ts (2)

29-40: LGTM! Environment variable validation properly implemented.

The function correctly checks for required OAuth credentials and returns an appropriate error if they're missing, preventing runtime failures.

---

101-107: Good error handling with proper logging.

The catch block appropriately logs errors and returns a structured error response, making debugging easier while keeping the API contract consistent.

[tcsenpai]

Your trial has ended! 😢

To keep getting reviews, activate your plan here.

Got questions about plans or want to see if we can extend your trial? Talk to our founders here.😎

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between efdb692 and 803c140.

📒 Files selected for processing (2)

• src/libs/abstraction/index.ts
• src/libs/identity/oauth/github.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-10T12:30:35.789Z

Learnt from: tcsenpai
Repo: kynesyslabs/node PR: 475
File: src/features/incentive/PointSystem.ts:711-727
Timestamp: 2025-10-10T12:30:35.789Z
Learning: In the TelegramSignedAttestation from kynesyslabs/demosdk (v2.4.18+), the `group_membership` field in the payload is a boolean, not an object. Check it as: `attestation?.payload?.group_membership === true`

Applied to files:

• src/libs/abstraction/index.ts

🧬 Code graph analysis (2)

src/libs/abstraction/index.ts (4)

src/libs/identity/oauth/github.ts (1)

• SignedGitHubOAuthAttestation (29-33)

src/libs/blockchain/transaction.ts (1)

• hash (98-106)

src/libs/crypto/hashing.ts (1)

• Hashing (15-26)

src/utilities/sharedState.ts (1)

• getSharedState (266-268)

src/libs/identity/oauth/github.ts (3)

src/libs/blockchain/transaction.ts (1)

• hash (98-106)

src/libs/crypto/hashing.ts (1)

• Hashing (15-26)

src/utilities/sharedState.ts (1)

• getSharedState (266-268)

🔇 Additional comments (1)

src/libs/abstraction/index.ts (1)

176-282: GitHub OAuth verification logic is sound.

The attestation parsing and verification flow correctly:

• Handles both string and object proof formats
• Validates structure, provider, userId, and username
• Enforces attestation age limits (5 minutes)
• Verifies cryptographic signature
• Checks node authorization against genesis identities

Note: The JSON.stringify determinism issue applies here as well (line 233), but is already flagged in src/libs/identity/oauth/github.ts.

---

Note on past review comment: The previous comment about OAuth proof parsing with split(":") does not apply to this GitHub OAuth implementation, which uses structured SignedGitHubOAuthAttestation objects rather than colon-separated strings.