Skip to content

Fix UTexas EMU login redirect_uri mismatch and project creation failure#438

Open
saracarl with Copilot wants to merge 23 commits into
developfrom
copilot/add-utexas-login-button
Open

Fix UTexas EMU login redirect_uri mismatch and project creation failure#438
saracarl with Copilot wants to merge 23 commits into
developfrom
copilot/add-utexas-login-button

Conversation

Copilot AI commented Mar 9, 2026

Copy link
Copy Markdown

Two bugs in the UTexas EMU auth flow: the OAuth redirect_uri was hardcoded to PUBLIC_REDIRECT_URL (the canonical deployment URL), causing GitHub to reject it on preview deployments. After login, EMU tokens cannot access AVAnnotate/project-template because EMU accounts are isolated to their enterprise — making project creation fail with _repo_create_failed_.

Changes

redirect_uri mismatch (GitHub "Be careful!" warning)

  • SignInGitHub.tsx — Replace import.meta.env.PUBLIC_REDIRECT_URL with window.location.origin when building the UTexas OAuth authorize URL. Safe because the component is client:only="react".
  • git-enterprise/index.ts — Replace PUBLIC_REDIRECT_URL with new URL(request.url).origin for the post-auth redirect to /en/projects.

EMU project creation failure

EMU tokens cannot call POST /repos/AVAnnotate/project-template/generate — the template is outside their enterprise. The fix lets an enterprise-internal copy of the template be used instead.

  • git-enterprise/index.ts — Set a second auth-provider=utexas cookie on successful EMU login so downstream server routes can identify the session.
  • GitHub/index.ts — Add optional templateOwner parameter to createRepositoryFromTemplate; defaults to GIT_REPO_ORG for no behavior change on non-EMU paths.
  • api/projects/[projectName]/index.ts — When auth-provider=utexas and UTEXAS_GIT_REPO_ORG is set, use that org's copy of the template:
const isUtexasSession = cookies.get('auth-provider')?.value === 'utexas';
const templateOwner = isUtexasSession && utexasTemplateOrg ? utexasTemplateOrg : undefined;
  • .env.example / README.md — Document UTEXAS_GIT_REPO_ORG and UTEXAS_GIT_REPO_PROJECT_TEMPLATE with step-by-step instructions to fork AVAnnotate/project-template into the UTexas enterprise and mark it as a template repository.
Original prompt

This section details on the original issue you should resolve

<issue_title>Add UTexas Github Enterprise Managed User login</issue_title>
<issue_description>We need to add another button to the login screen of AVAnnotate to give users the option of logging in using their UTexas EID, which will authenticate not to the main github auth, but to the Github Enterprise Managed User SSO authentication.

The URL for Github with Utexas Enterprise Managed Users is https://github.com/enterprises/utexas-internal.

Please use and document placeholders for any settings unique to this environment.</issue_description>

<agent_instructions>Keep it simple and easy for us to read & understand -- the challenge with authentication is configuring and testing!</agent_instructions>

Comments on the Issue (you are @copilot in this section)


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@netlify

netlify Bot commented Mar 9, 2026

Copy link
Copy Markdown

Deploy Preview for avannotate-staging ready!

Name Link
🔨 Latest commit d8bdddb
🔍 Latest deploy log https://app.netlify.com/projects/avannotate-staging/deploys/6a569b165c941000088e1de4
😎 Deploy Preview https://deploy-preview-438--avannotate-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Co-authored-by: saracarl <708566+saracarl@users.noreply.github.com>
Copilot AI changed the title [WIP] Add UTexas Github Enterprise Managed User login option Add UTexas GitHub Enterprise Managed User (EMU) login button Mar 9, 2026
@saracarl
saracarl marked this pull request as ready for review March 9, 2026 14:04
Clarify instructions for creating the OAuth App and add details about the settings location.
@saracarl

Copy link
Copy Markdown

@copilot Ok. We've got the button for logging in to UT showing up, but after we login we see that the redirect takes us to:

https://github.com/login/oauth/authorize?client_id=Ov23liAisKSxjrLdFLFC&redirect_uri=https://avannotate-staging.netlify.app/git-enterprise&scope=repo%20workflow

and the github auth UI shows:
image

We're deployed to a staging URL that is different -- https://deploy-preview-438--avannotate-staging.netlify.app/
We've added that staging URL to the github OAuth app configuration as the callback: https://deploy-preview-438--avannotate-staging.netlify.app/git-enterprise

Build-time PUBLIC_REDIRECT_URL was always the canonical staging URL, so
preview deployments (e.g. deploy-preview-438--…) sent a redirect_uri that
wasn't registered in the OAuth App, producing GitHub's "Be careful!"
warning.

- SignInGitHub.tsx: replace PUBLIC_REDIRECT_URL with window.location.origin
  (safe because the component is client:only="react")
- git-enterprise/index.ts: replace PUBLIC_REDIRECT_URL with
  new URL(request.url).origin for the post-auth redirect so the user lands
  back on the same deployment URL after sign-in

Copilot AI commented Jun 19, 2026

Copy link
Copy Markdown
Author

@copilot Ok. We've got the button for logging in to UT showing up, but after we login we see that the redirect takes us to:

https://github.com/login/oauth/authorize?client_id=Ov23liAisKSxjrLdFLFC&r...

The "Be careful!" error was caused by the redirect_uri being hard-coded to PUBLIC_REDIRECT_URL (the canonical staging URL) at build time, so any preview deployment sent the wrong URL to GitHub.

Two changes in commit fix: use window.location.origin…:

  1. SignInGitHub.tsx — replaced import.meta.env.PUBLIC_REDIRECT_URL with window.location.origin when building the UTexas OAuth URL. Because the component is client:only="react", window is always available and always reflects the actual deployment origin (preview URL, production, etc.).

  2. git-enterprise/index.ts — replaced PUBLIC_REDIRECT_URL with new URL(request.url).origin for the post-auth redirect to /en/projects, so the user lands back on the same deployment URL after sign-in.

With these changes, as long as the current preview URL is registered in the OAuth App's callback list (which you've already done), the full flow should work without any changes to environment variables.

GitHub Enterprise Managed Users cannot access repos outside their enterprise,
so the standard AVAnnotate/project-template generate call fails with their token.

- git-enterprise/index.ts: set auth-provider=utexas cookie on EMU login so
  the server can identify the session later
- GitHub/index.ts: add optional templateOwner parameter to
  createRepositoryFromTemplate (defaults to GIT_REPO_ORG as before)
- api/projects/[projectName]/index.ts: when auth-provider=utexas and
  UTEXAS_GIT_REPO_ORG is configured, use the enterprise copy of the template
- .env.example / README.md: document UTEXAS_GIT_REPO_ORG and
  UTEXAS_GIT_REPO_PROJECT_TEMPLATE plus step-by-step fork instructions
Copilot AI changed the title Add UTexas GitHub Enterprise Managed User (EMU) login button Fix UTexas EMU login redirect_uri mismatch and project creation failure Jun 19, 2026
saracarl added 10 commits June 30, 2026 10:37
Removed Astro Basics section and related content from README.
…t-creation-failure

Improve GitHub API error logging for project creation
…fromtemplate-function

Log GitHub template repository generation request
### Motivation
- Support bimodal repository creation so public template generation remains unchanged while enterprise-managed orgs can use an enterprise template owner.
- Allow creating and representing GitHub `internal` repos for enterprise orgs even though the template API only accepts a `private` boolean.
- Improve GitHub failure observability by logging request ids and response bodies for template generation, visibility changes, and Pages operations.

### Description
- Added `src/lib/GitHub/config.ts` with helpers to parse `PUBLIC_GITHUB_ENTERPRISE_ORGS`/`GITHUB_ENTERPRISE_ORGS` and to resolve `GIT_REPO_ORG_ENTERPRISE` vs `GIT_REPO_ORG` for template owner selection.
- Updated `createRepositoryFromTemplate` in `src/lib/GitHub/index.ts` to pick the template owner via `getTemplateOwnerForDestinationOrg`, log the resolved generation URL and sanitized payload, and map `visibility` to the template API `private` boolean (treat `internal` as `private` initially).
- Extended `changeRepoVisibility` to accept a `boolean | RepoVisibility` and to PATCH either `{ private: ... }` or `{ visibility: 'internal' }` so internal visibility can be applied after template creation.
- Updated the front-end `NewProject` flow in `src/apps/NewProject/NewProject.tsx` to send `visibility: 'internal'` for non-private projects targeted at enterprise orgs and to keep `visibility: 'public'` for public orgs or `private` when requested.
- Enhanced the API handler in `src/pages/api/projects/[projectName]/index.ts` to call the visibility helper after template creation when `body.visibility === 'internal'`, to add `logGitHubFailure` logging (including `x-github-request-id` and response body) on failures, and to persist `visibility` into the project config while retaining `is_private` for backwards compatibility.
- Updated types in `src/types/api.ts` and `src/types/Types.ts` to allow `visibility: 'private' | 'public' | 'internal'` and to include `visibility` on the `Project` type.

### Testing
- Ran the project build and typecheck with `npm run build` (which runs `astro check` and the client/server build), and the build completed successfully with no type errors.
- Verified that `createRepositoryFromTemplate` composes and logs the resolved GitHub template URL and payload during local runs and that `changeRepoVisibility` can be called with `'internal'` to issue the appropriate PATCH request (failure cases are logged with request id and response body).
…b-project-creation

Add GitHub enterprise/internal visibility support and switch project API to `is_private`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add UTexas Github Enterprise Managed User login

2 participants