Skip to content

Multi-user support: only use current user token#9129

Merged
fregante merged 5 commits into
refined-github:mainfrom
nntld:personal-token-strict-mode
Apr 2, 2026
Merged

Multi-user support: only use current user token#9129
fregante merged 5 commits into
refined-github:mainfrom
nntld:personal-token-strict-mode

Conversation

@nntld
Copy link
Copy Markdown
Contributor

@nntld nntld commented Mar 27, 2026

Closes #9118

Asserts that all non-read only calls going to the GH API are made with the same token as the currently logged in user.

I chose to do this in the API wrappers where possible, to avoid lots of manual assertions that would be easy to forget for new features.

Tests/screenshots

@github-actions github-actions Bot added the meta Related to Refined GitHub itself label Mar 27, 2026
nntld
nntld commented Mar 27, 2026
View reviewed changes
Comment thread source/features/status-subscription.tsx Outdated
SunsetTechuila
SunsetTechuila reviewed Mar 27, 2026
View reviewed changes
Comment thread source/features/status-subscription.tsx Outdated
SunsetTechuila
SunsetTechuila reviewed Mar 27, 2026
View reviewed changes
Comment thread source/github-helpers/api.tsx Outdated
SunsetTechuila
SunsetTechuila reviewed Mar 27, 2026
View reviewed changes
Comment thread source/github-helpers/api.tsx Outdated
fregante
fregante approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fregante fregante left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me from a first look, I like that it handles the POST calls automatically 👌

There are just a couple of nitpicks in the review comments

@nntld nntld marked this pull request as ready for review March 29, 2026 11:13
@fregante
Copy link
Copy Markdown
Member

fregante commented Apr 2, 2026

@SunsetTechuila feel free to merge when ready

SunsetTechuila
SunsetTechuila approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@SunsetTechuila SunsetTechuila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why onetime should be used instead of mem, but it's not a big deal. LGTM

@fregante
Copy link
Copy Markdown
Member

fregante commented Apr 2, 2026

Without any parameters, mem is identical to onetime but slower.

With parameters you're suggesting to extract 60% of the function's utility, placing the async getters outside the memoization.

At any rate it would be weird to have such a specific assertion that is essentially console.assert(arguments[0] === arguments[1], "error message"). At that point why have a memoized helper at all? a === b is not a useful memoization.

@fregante fregante merged commit 3c34efe into refined-github:main Apr 2, 2026
9 checks passed
@fregante fregante changed the title Prevent mismatched user token usage Multi-user support: only use current user token Apr 2, 2026
@SunsetTechuila
Copy link
Copy Markdown
Member

SunsetTechuila commented Apr 2, 2026
edited
Loading

placing the async getters outside the memoization

We need two arguments for memoization: user (returned by sync getLoggedInUser) and token (returned by async getToken). assertCurrentUser is called by v4uncached and v3uncached. Both of these functions already call getToken.

@SunsetTechuila
Copy link
Copy Markdown
Member

SunsetTechuila commented Apr 2, 2026

@nntld thank you

@fregante
Copy link
Copy Markdown
Member

fregante commented Apr 2, 2026

Ok? And what expensive operation do you memoize exactly after taking those two out?

@SunsetTechuila
Copy link
Copy Markdown
Member

SunsetTechuila commented Apr 2, 2026
edited
Loading

what expensive operation

I agree that switching from onetime to mem won't noticeably improve efficiency:

it's not a big deal

It will, however, marginally improve it for free

@fregante
Copy link
Copy Markdown
Member

fregante commented Apr 2, 2026
edited
Loading

Taking those values out makes sense, memoizing the assertion afterwards does not.

It's either onetime to wrap the entire logic in a useful helper or no memoization at all.

Copilot AI mentioned this pull request Apr 2, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fregante fregante fregante approved these changes

@SunsetTechuila SunsetTechuila SunsetTechuila approved these changes

Assignees

No one assigned

Labels

enhancement meta Related to Refined GitHub itself

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prevent mismatched user token usage

3 participants

@nntld @fregante @SunsetTechuila