use github app for service instead of personal pat (with the option to for local dev)

Author: ahmedkhaleel2004

backend/app/routers/generate.py

@@ -15,8 +15,7 @@
 router = APIRouter(prefix="/generate", tags=["Claude"])
 
 # Initialize services
-github_token = os.getenv("GITHUB_PAT")  # might hit rate limit on just my token
-github_service = GitHubService(github_token)
+github_service = GitHubService()
 claude_service = ClaudeService()
 
 

backend/app/services/github_service.py

@@ -1,21 +1,80 @@
 import requests
+import jwt
+import time
+from datetime import datetime, timedelta
 from dotenv import load_dotenv
+import os
 
 load_dotenv()
 
 
 class GitHubService:
-    def __init__(self, github_token):
-        self.github_token = github_token
-        self.headers = {
-            "Authorization": f"token {self.github_token}",
-            "Accept": "application/vnd.github+json"
+    def __init__(self):
+        # Try app authentication first
+        self.client_id = os.getenv("GITHUB_CLIENT_ID")
+        self.private_key = os.getenv("GITHUB_PRIVATE_KEY")
+        self.installation_id = os.getenv("GITHUB_INSTALLATION_ID")
+
+        # Fallback to PAT if app credentials not found
+        self.github_token = os.getenv("GITHUB_PAT")
+
+        if not all([self.client_id, self.private_key, self.installation_id]) and not self.github_token:
+            raise ValueError(
+                "Either GitHub App credentials or PAT must be provided")
+
+        self.access_token = None
+        self.token_expires_at = None
+
+    # autopep8: off
+    def _generate_jwt(self):
+        now = int(time.time())
+        payload = {
+            "iat": now,
+            "exp": now + (10 * 60),  # 10 minutes
+            "iss": self.client_id
+        }
+        # Convert PEM string format to proper newlines
+        return jwt.encode(payload, self.private_key, algorithm="RS256")  # type: ignore
+    # autopep8: on
+
+    def _get_installation_token(self):
+        if self.access_token and self.token_expires_at > datetime.now():  # type: ignore
+            return self.access_token
+
+        jwt_token = self._generate_jwt()
+        response = requests.post(
+            f"https://api.github.com/app/installations/{
+                self.installation_id}/access_tokens",
+            headers={
+                "Authorization": f"Bearer {jwt_token}",
+                "Accept": "application/vnd.github+json"
+            }
+        )
+        data = response.json()
+        self.access_token = data["token"]
+        self.token_expires_at = datetime.now() + timedelta(hours=1)
+        return self.access_token
+
+    def _get_headers(self):
+        # Use PAT if app credentials not available
+        if not all([self.client_id, self.private_key, self.installation_id]):
+            return {
+                "Authorization": f"token {self.github_token}",
+                "Accept": "application/vnd.github+json"
+            }
+
+        # Otherwise use app authentication
+        token = self._get_installation_token()
+        return {
+            "Authorization": f"Bearer {token}",
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28"
         }
 
     def get_default_branch(self, username, repo):
         """Get the default branch of the repository."""
         api_url = f"https://api.github.com/repos/{username}/{repo}"
-        response = requests.get(api_url, headers=self.headers)
+        response = requests.get(api_url, headers=self._get_headers())
 
         if response.status_code == 200:
             return response.json().get('default_branch')
@@ -57,7 +116,7 @@ def should_include_file(path):
         if branch:
             api_url = f"https://api.github.com/repos/{
                 username}/{repo}/git/trees/{branch}?recursive=1"
-            response = requests.get(api_url, headers=self.headers)
+            response = requests.get(api_url, headers=self._get_headers())
 
             if response.status_code == 200:
                 data = response.json()
@@ -71,7 +130,7 @@ def should_include_file(path):
         for branch in ['main', 'master']:
             api_url = f"https://api.github.com/repos/{
                 username}/{repo}/git/trees/{branch}?recursive=1"
-            response = requests.get(api_url, headers=self.headers)
+            response = requests.get(api_url, headers=self._get_headers())
 
             if response.status_code == 200:
                 data = response.json()
@@ -96,13 +155,7 @@ def get_github_readme(self, username, repo):
             str: The contents of the README file.
         """
         api_url = f"https://api.github.com/repos/{username}/{repo}/readme"
-
-        headers = {
-            "Authorization": f"token {self.github_token}",
-            "Accept": "application/vnd.github+json"
-        }
-
-        response = requests.get(api_url, headers=headers)
+        response = requests.get(api_url, headers=self._get_headers())
 
         if response.status_code == 404:
             raise ValueError("Repository not found.")

backend/requirements.txt

@@ -3,8 +3,10 @@ anthropic==0.42.0
 anyio==4.7.0
 api-analytics==1.2.5
 certifi==2024.12.14
+cffi==1.17.1
 charset-normalizer==3.4.0
 click==8.1.7
+cryptography==44.0.0
 Deprecated==1.2.15
 distro==1.9.0
 dnspython==2.7.0
@@ -23,9 +25,11 @@ markdown-it-py==3.0.0
 MarkupSafe==3.0.2
 mdurl==0.1.2
 packaging==24.2
+pycparser==2.22
 pydantic==2.10.3
 pydantic_core==2.27.1
 Pygments==2.18.0
+PyJWT==2.10.1
 python-dotenv==1.0.1
 python-multipart==0.0.19
 PyYAML==6.0.2