refactor(github): extract shared authenticated http client from api client

Ke-vin-S · Ke-vin-S · commit 6510b003f0b2 · 2026-03-22T18:50:50.000+05:30
- moved token provider and refresh round tripper setup into a reusable helper
- introduced CreateAuthenticatedHttpClient to centralize auth + transport logic
- updated CreateApiClient to use shared http client instead of inline setup

Rationale:
- decouples authentication (transport layer) from REST-specific client logic
- enables reuse for GraphQL client without duplicating token refresh logic
- aligns architecture with separation of concerns (http transport vs api clients)
diff --git a/backend/plugins/github/tasks/api_client.go b/backend/plugins/github/tasks/api_client.go
@@ -26,7 +26,6 @@ import (
 	"github.com/apache/incubator-devlake/core/plugin"
 	"github.com/apache/incubator-devlake/helpers/pluginhelper/api"
 	"github.com/apache/incubator-devlake/plugins/github/models"
-	"github.com/apache/incubator-devlake/plugins/github/token"
 )
 
 func CreateApiClient(taskCtx plugin.TaskContext, connection *models.GithubConnection) (*api.ApiAsyncClient, errors.Error) {
@@ -35,40 +34,10 @@ func CreateApiClient(taskCtx plugin.TaskContext, connection *models.GithubConnec
 		return nil, err
 	}
 
-	logger := taskCtx.GetLogger()
-	db := taskCtx.GetDal()
-	encryptionSecret := taskCtx.GetConfig(plugin.EncodeKeyEnvStr)
-
-	// Inject TokenProvider for OAuth refresh or GitHub App installation tokens.
-	var tp *token.TokenProvider
-	if connection.RefreshToken != "" {
-		tp = token.NewTokenProvider(connection, db, apiClient.GetClient(), logger, encryptionSecret)
-	} else if connection.AuthMethod == models.AppKey && connection.InstallationID != 0 {
-		tp = token.NewAppInstallationTokenProvider(connection, db, apiClient.GetClient(), logger, encryptionSecret)
-	}
-	if tp != nil {
-		// Wrap the transport
-		baseTransport := apiClient.GetClient().Transport
-		if baseTransport == nil {
-			baseTransport = http.DefaultTransport
-		}
-
-		rt := token.NewRefreshRoundTripper(baseTransport, tp)
-		apiClient.GetClient().Transport = rt
-		logger.Info("Installed token refresh round tripper for connection %d (authMethod=%s)",
-			connection.ID, connection.AuthMethod)
-	}
-
-	// Persist the freshly minted token so the DB has a correctly encrypted value.
-	// PrepareApiClient (called by NewApiClientFromConnection) mints the token
-	// in-memory but does not persist it; without this, the DB may contain a stale
-	// or corrupted token that breaks GET /connections.
-	if connection.AuthMethod == models.AppKey && connection.Token != "" {
-		if err := token.PersistEncryptedTokenColumns(db, connection, encryptionSecret, logger, false); err != nil {
-			logger.Warn(err, "Failed to persist initial token for connection %d", connection.ID)
-		} else {
-			logger.Info("Persisted initial token for connection %d", connection.ID)
-		}
+	// inject the shared auth layer
+	_, err = CreateAuthenticatedHttpClient(taskCtx, connection, apiClient.GetClient())
+	if err != nil {
+		return nil, err
 	}
 
 	// create rate limit calculator
diff --git a/backend/plugins/github/tasks/http_client.go b/backend/plugins/github/tasks/http_client.go
@@ -0,0 +1,78 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package tasks
+
+import (
+	"net/http"
+
+	"github.com/apache/incubator-devlake/core/errors"
+	"github.com/apache/incubator-devlake/core/plugin"
+	"github.com/apache/incubator-devlake/plugins/github/models"
+	"github.com/apache/incubator-devlake/plugins/github/token"
+)
+
+func CreateAuthenticatedHttpClient(
+	taskCtx plugin.TaskContext,
+	connection *models.GithubConnection,
+	baseClient *http.Client,
+) (*http.Client, errors.Error) {
+
+	logger := taskCtx.GetLogger()
+	db := taskCtx.GetDal()
+	encryptionSecret := taskCtx.GetConfig(plugin.EncodeKeyEnvStr)
+
+	if baseClient == nil {
+		baseClient = &http.Client{}
+	}
+
+	// Inject TokenProvider for OAuth refresh or GitHub App installation tokens.
+	var tp *token.TokenProvider
+	if connection.RefreshToken != "" {
+		tp = token.NewTokenProvider(connection, db, baseClient, logger, encryptionSecret)
+	} else if connection.AuthMethod == models.AppKey && connection.InstallationID != 0 {
+		tp = token.NewAppInstallationTokenProvider(connection, db, baseClient, logger, encryptionSecret)
+	}
+
+	if tp != nil {
+		baseTransport := baseClient.Transport
+		if baseTransport == nil {
+			baseTransport = http.DefaultTransport
+		}
+
+		baseClient.Transport = token.NewRefreshRoundTripper(baseTransport, tp)
+		logger.Info(
+			"Installed token refresh round tripper for connection %d (authMethod=%s)",
+			connection.ID,
+			connection.AuthMethod,
+		)
+	}
+
+	// Persist the freshly minted token so the DB has a correctly encrypted value.
+	// PrepareApiClient (called by NewApiClientFromConnection) mints the token
+	// in-memory but does not persist it; without this, the DB may contain a stale
+	// or corrupted token that breaks GET /connections.
+	if connection.AuthMethod == models.AppKey && connection.Token != "" {
+		if err := token.PersistEncryptedTokenColumns(db, connection, encryptionSecret, logger, false); err != nil {
+			logger.Warn(err, "Failed to persist initial token for connection %d", connection.ID)
+		} else {
+			logger.Info("Persisted initial token for connection %d", connection.ID)
+		}
+	}
+
+	return baseClient, nil
+}
