rjohnson2011
diff --git a/‎.env.example‎
Lines changed: 8 additions & 0 deletions b/‎.env.example‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎GITHUB_OAUTH_SETUP.md‎
Lines changed: 129 additions & 0 deletions b/‎GITHUB_OAUTH_SETUP.md‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎Gemfile‎
Lines changed: 7 additions & 1 deletion b/‎Gemfile‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎Gemfile.lock‎
Lines changed: 38 additions & 0 deletions b/‎Gemfile.lock‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎app/controllers/api/v1/auth_controller.rb‎
Lines changed: 108 additions & 0 deletions b/‎app/controllers/api/v1/auth_controller.rb‎
Lines changed: 108 additions & 0 deletions
@@ -12,5 +12,13 @@ ADMIN_TOKEN=your_secure_admin_token_here
 # Rails Configuration
 RAILS_MASTER_KEY=your_rails_master_key_here
 
+# GitHub OAuth Configuration
+GITHUB_CLIENT_ID=your_github_oauth_app_client_id
+GITHUB_CLIENT_SECRET=your_github_oauth_app_client_secret
+
+# Frontend URL (for OAuth redirects)
+FRONTEND_URL=http://localhost:5173
+API_URL=http://localhost:3000
+
 # Optional: Enable debug logging
 # RAILS_LOG_LEVEL=debug
@@ -0,0 +1,129 @@
+# GitHub OAuth Setup Guide
+
+This guide will help you set up GitHub OAuth authentication for the Platform Code Reviews application.
+
+## Prerequisites
+
+You need to be able to create OAuth Apps in GitHub. This can be done:
+1. For personal testing: In your personal GitHub account settings
+2. For production: In the department-of-veterans-affairs organization settings (requires admin access)
+
+## Step 1: Create a GitHub OAuth App
+
+1. Go to GitHub Settings:
+   - Personal: https://github.com/settings/developers
+   - Organization: https://github.com/organizations/department-of-veterans-affairs/settings/applications
+
+2. Click "New OAuth App" (or "Register an application")
+
+3. Fill in the following details:
+   - **Application name**: `Platform Code Reviews` (or `Platform Code Reviews - Dev` for development)
+   - **Homepage URL**: 
+     - Development: `http://localhost:5173`
+     - Production: `https://your-frontend-domain.com`
+   - **Authorization callback URL**: 
+     - Development: `http://localhost:3000/api/v1/auth/github/callback`
+     - Production: `https://your-api-domain.com/api/v1/auth/github/callback`
+   - **Enable Device Flow**: Leave unchecked
+
+4. Click "Register application"
+
+5. You'll see your **Client ID** on the next page
+
+6. Click "Generate a new client secret" and copy the secret immediately (you won't be able to see it again)
+
+## Step 2: Configure the Rails Application
+
+1. Copy the `.env.example` file to `.env`:
+   ```bash
+   cp .env.example .env
+   ```
+
+2. Edit `.env` and add your OAuth credentials:
+   ```
+   # GitHub OAuth Configuration
+   GITHUB_CLIENT_ID=your_client_id_here
+   GITHUB_CLIENT_SECRET=your_client_secret_here
+   
+   # Frontend URL (for OAuth redirects)
+   FRONTEND_URL=http://localhost:5173  # Change for production
+   API_URL=http://localhost:3000       # Change for production
+   ```
+
+3. Run the database migration to create the users table:
+   ```bash
+   rails db:migrate
+   ```
+
+## Step 3: Update Frontend URLs
+
+The frontend needs to know where the API is located. Update these as needed for your deployment.
+
+## Step 4: Test the Authentication Flow
+
+1. Start the Rails server:
+   ```bash
+   rails server
+   ```
+
+2. Visit: `http://localhost:3000/api/v1/auth/github`
+
+3. You should be redirected to GitHub to authorize the application
+
+4. After authorization, you'll be redirected back to the frontend with a JWT token
+
+## Security Considerations
+
+1. **Never commit** the `.env` file or expose your client secret
+2. **Use HTTPS** in production for all URLs
+3. **Rotate secrets** periodically
+4. **Limit scope** - We only request `read:user` and `read:org` permissions
+
+## How It Works
+
+1. User clicks "Login with GitHub" on the frontend
+2. Frontend redirects to `/api/v1/auth/github`
+3. Rails redirects to GitHub OAuth with proper parameters
+4. User authorizes on GitHub
+5. GitHub redirects back to `/api/v1/auth/github/callback` with a code
+6. Rails exchanges the code for an access token
+7. Rails fetches user data and checks VA organization membership
+8. Rails creates/updates the user record
+9. Rails generates a JWT token and redirects to frontend with the token
+10. Frontend stores the JWT and includes it in API requests
+
+## Required Scopes
+
+The application requests these GitHub OAuth scopes:
+- `read:user` - Read user profile data
+- `read:org` - Read organization membership (required to verify VA membership)
+
+## Troubleshooting
+
+### "Redirect URI mismatch" error
+- Make sure the callback URL in your GitHub OAuth app settings exactly matches what's configured in the Rails app
+- Check that `API_URL` in your `.env` file is correct
+
+### "Bad credentials" error
+- Verify your `GITHUB_CLIENT_ID` and `GITHUB_CLIENT_SECRET` are correct
+- Make sure there are no extra spaces or newlines in the `.env` file
+
+### Organization membership check fails
+- Ensure the OAuth app has `read:org` scope
+- The user must be a public member of the organization (private members may not be visible)
+
+## Production Deployment
+
+For production deployment on Render.com or similar:
+
+1. Set environment variables in your hosting platform:
+   ```
+   GITHUB_CLIENT_ID=your_production_client_id
+   GITHUB_CLIENT_SECRET=your_production_client_secret
+   FRONTEND_URL=https://your-frontend-domain.vercel.app
+   API_URL=https://your-api-domain.onrender.com
+   ```
+
+2. Update the GitHub OAuth app with production URLs
+
+3. Ensure CORS is properly configured to allow your frontend domain
@@ -10,7 +10,13 @@ gem "puma", ">= 5.0"
 # gem "jbuilder"
 
 # Use Active Model has_secure_password [https://guides.rubyonrails.org/active_model_basics.html#securepassword]
-# gem "bcrypt", "~> 3.1.7"
+gem "bcrypt", "~> 3.1.7"
+
+# Authentication
+gem "omniauth", "~> 2.1"
+gem "omniauth-github", "~> 2.0"
+gem "omniauth-rails_csrf_protection", "~> 1.0"
+gem "jwt", "~> 2.7"
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem "tzinfo-data", platforms: %i[ windows jruby ]
 
@@ -76,6 +76,7 @@ GEM
       public_suffix (>= 2.0.2, < 7.0)
     ast (2.4.3)
     base64 (0.3.0)
+    bcrypt (3.1.20)
     bcrypt_pbkdf (1.1.1)
     bcrypt_pbkdf (1.1.1-arm64-darwin)
     bcrypt_pbkdf (1.1.1-x86_64-darwin)
@@ -118,6 +119,7 @@ GEM
       raabro (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    hashie (5.0.0)
     httparty (0.23.1)
       csv
       mini_mime (>= 1.0.0)
@@ -130,6 +132,8 @@ GEM
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     json (2.12.2)
+    jwt (2.10.2)
+      base64
     kamal (2.7.0)
       activesupport (>= 7.0)
       base64 (~> 0.2)
@@ -195,9 +199,30 @@ GEM
       racc (~> 1.4)
     nokogiri (1.18.8-x86_64-linux-musl)
       racc (~> 1.4)
+    oauth2 (2.0.12)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0, >= 2.0.3)
+      version_gem (>= 1.1.8, < 3)
     octokit (9.2.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
+    omniauth (2.1.3)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-github (2.0.1)
+      omniauth (~> 2.0)
+      omniauth-oauth2 (~> 1.8)
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
+    omniauth-rails_csrf_protection (1.0.2)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
     ostruct (0.6.2)
     parallel (1.27.0)
     parser (3.3.8.0)
@@ -223,6 +248,10 @@ GEM
     rack-cors (3.0.0)
       logger
       rack (>= 3.0.14)
+    rack-protection (4.1.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
     rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
@@ -306,6 +335,9 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
+    snaky_hash (2.0.3)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
     solid_cable (3.0.11)
       actioncable (>= 7.2)
       activejob (>= 7.2)
@@ -344,6 +376,7 @@ GEM
     unicode-emoji (4.0.4)
     uri (1.0.3)
     useragent (0.16.11)
+    version_gem (1.1.8)
     webdrivers (5.3.1)
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
@@ -370,16 +403,21 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  bcrypt (~> 3.1.7)
   bootsnap
   brakeman
   debug
   dotenv-rails (~> 3.0)
   faraday (~> 2.0)
   faraday-retry
   httparty (~> 0.22)
+  jwt (~> 2.7)
   kamal
   nokogiri (~> 1.16)
   octokit (~> 9.0)
+  omniauth (~> 2.1)
+  omniauth-github (~> 2.0)
+  omniauth-rails_csrf_protection (~> 1.0)
   pg (~> 1.1)
   playwright-ruby-client (~> 1.40)
   puma (>= 5.0)
 
@@ -0,0 +1,108 @@
+module Api
+  module V1
+    class AuthController < ApplicationController
+      skip_before_action :verify_authenticity_token, only: [:github_callback]
+      
+      # GET /api/v1/auth/github
+      # Redirects to GitHub OAuth
+      def github
+        redirect_to github_oauth_url, allow_other_host: true
+      end
+      
+      # GET /api/v1/auth/github/callback
+      # Handles OAuth callback from GitHub
+      def github_callback
+        # Exchange code for access token
+        access_token = exchange_code_for_token(params[:code])
+        
+        if access_token.nil?
+          return render json: { error: "Failed to authenticate with GitHub" }, status: :unauthorized
+        end
+        
+        # Get user data from GitHub
+        github_client = Octokit::Client.new(access_token: access_token)
+        github_user = github_client.user
+        
+        # Find or create user
+        user = User.from_github_oauth(github_user.to_h)
+        user.access_token = access_token
+        user.save!
+        
+        # Check VA membership
+        user.check_va_membership!(github_client)
+        
+        # Generate JWT token
+        jwt_token = user.generate_jwt_token
+        
+        # Redirect back to frontend with token
+        redirect_to "#{frontend_url}/auth/callback?token=#{jwt_token}", allow_other_host: true
+      rescue => e
+        Rails.logger.error "GitHub OAuth error: #{e.message}"
+        redirect_to "#{frontend_url}/auth/error?message=#{CGI.escape(e.message)}", allow_other_host: true
+      end
+      
+      # GET /api/v1/auth/me
+      # Returns current user info
+      def me
+        if current_user
+          render json: {
+            id: current_user.id,
+            github_username: current_user.github_username,
+            name: current_user.name,
+            email: current_user.email,
+            avatar_url: current_user.avatar_url,
+            is_va_member: current_user.is_va_member,
+            last_login_at: current_user.last_login_at
+          }
+        else
+          render json: { error: "Not authenticated" }, status: :unauthorized
+        end
+      end
+      
+      # POST /api/v1/auth/logout
+      def logout
+        # Since we're using JWT, we don't need to do anything server-side
+        # The client will remove the token
+        render json: { message: "Logged out successfully" }
+      end
+      
+      private
+      
+      def github_oauth_url
+        client_id = ENV["GITHUB_CLIENT_ID"]
+        redirect_uri = "#{api_url}/api/v1/auth/github/callback"
+        scope = "read:user,read:org"
+        
+        "https://github.com/login/oauth/authorize?client_id=#{client_id}&redirect_uri=#{CGI.escape(redirect_uri)}&scope=#{scope}"
+      end
+      
+      def exchange_code_for_token(code)
+        client_id = ENV["GITHUB_CLIENT_ID"]
+        client_secret = ENV["GITHUB_CLIENT_SECRET"]
+        
+        response = Faraday.post("https://github.com/login/oauth/access_token") do |req|
+          req.headers["Accept"] = "application/json"
+          req.body = {
+            client_id: client_id,
+            client_secret: client_secret,
+            code: code
+          }
+        end
+        
+        data = JSON.parse(response.body)
+        data["access_token"]
+      rescue => e
+        Rails.logger.error "Failed to exchange code for token: #{e.message}"
+        nil
+      end
+      
+      def frontend_url
+        ENV["FRONTEND_URL"] || "http://localhost:5173"
+      end
+      
+      def api_url
+        ENV["API_URL"] || "http://localhost:3000"
+      end
+    end
+  end
+end