feat(github): support static token transport for GraphQL and REST clients

Ke-vin-S · Ke-vin-S · commit 1d380aee618f · 2026-04-08T08:57:10.000+05:30
add StaticRoundTripper for PAT authentication and use it in the shared http client.

since the same client is used by both REST and GraphQL, auth handling must distinguish
between refreshable tokens and static tokens. avoid applying refresh/retry logic to PAT.

ensures correct behavior across clients and prevents unnecessary retries for static auth.
diff --git a/backend/plugins/github/tasks/http_client.go b/backend/plugins/github/tasks/http_client.go
@@ -48,18 +48,28 @@ func CreateAuthenticatedHttpClient(
 		tp = token.NewAppInstallationTokenProvider(connection, db, baseClient, logger, encryptionSecret)
 	}
 
-	if tp != nil {
-		baseTransport := baseClient.Transport
-		if baseTransport == nil {
-			baseTransport = http.DefaultTransport
-		}
+	baseTransport := baseClient.Transport
+	if baseTransport == nil {
+		baseTransport = http.DefaultTransport
+	}
 
+	if tp != nil {
 		baseClient.Transport = token.NewRefreshRoundTripper(baseTransport, tp)
 		logger.Info(
 			"Installed token refresh round tripper for connection %d (authMethod=%s)",
 			connection.ID,
 			connection.AuthMethod,
 		)
+
+	} else if connection.Token != "" {
+		baseClient.Transport = token.NewStaticRoundTripper(
+			baseTransport,
+			connection.Token,
+		)
+		logger.Info(
+			"Installed static token round tripper for connection %d",
+			connection.ID,
+		)
 	}
 
 	// Persist the freshly minted token so the DB has a correctly encrypted value.
@@ -73,6 +83,7 @@ func CreateAuthenticatedHttpClient(
 			logger.Info("Persisted initial token for connection %d", connection.ID)
 		}
 	}
+	println("http client HIT3")
 
 	return baseClient, nil
 }
diff --git a/backend/plugins/github/token/round_tripper.go b/backend/plugins/github/token/round_tripper.go
@@ -93,3 +93,26 @@ func (rt *RefreshRoundTripper) roundTripWithRetry(req *http.Request, refreshAtte
 
 	return resp, nil
 }
+
+// StaticRoundTripper is an HTTP transport that injects a fixed bearer token.
+// Unlike RefreshRoundTripper, it does NOT attempt refresh or retries.
+type StaticRoundTripper struct {
+	base  http.RoundTripper
+	token string
+}
+
+func NewStaticRoundTripper(base http.RoundTripper, token string) *StaticRoundTripper {
+	if base == nil {
+		base = http.DefaultTransport
+	}
+	return &StaticRoundTripper{
+		base:  base,
+		token: token,
+	}
+}
+
+func (rt *StaticRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	reqClone := req.Clone(req.Context())
+	reqClone.Header.Set("Authorization", "Bearer "+rt.token)
+	return rt.base.RoundTrip(reqClone)
+}
