fix(github): StaticRoundTripper now owns token splitting and rotation for AccessToken connections

Ke-vin-S · Ke-vin-S · commit afe168bf36c2 · 2026-04-08T08:57:10.000+05:30
Previously, connection.Token (comma-separated PATs) was injected as-is
into the Authorization header, sending "Bearer tok1,tok2,tok3" instead
of a single rotated token.

StaticRoundTripper now splits the raw token string on comma and rotates
through tokens round-robin using an atomic counter.

For REST: StaticRoundTripper operates at transport level and always
overwrites the Authorization header set by SetupAuthentication.
SetupAuthentication is retained because conn.tokens is still required
by GetTokensCount() for rate limit calculation — but its header write
is superseded by StaticRoundTripper on every request.

For GraphQL: SetupAuthentication is never called by the graphql client,
so StaticRoundTripper is the only auth mechanism on this path — without
this fix, GraphQL requests were sent with the full unsplit token string.
diff --git a/backend/plugins/github/token/round_tripper.go b/backend/plugins/github/token/round_tripper.go
@@ -19,6 +19,8 @@ package token
 
 import (
 	"net/http"
+	"strings"
+    "sync/atomic"
 )
 
 // RefreshRoundTripper is an HTTP transport middleware that automatically manages OAuth token refreshes.
@@ -97,22 +99,32 @@ func (rt *RefreshRoundTripper) roundTripWithRetry(req *http.Request, refreshAtte
 // StaticRoundTripper is an HTTP transport that injects a fixed bearer token.
 // Unlike RefreshRoundTripper, it does NOT attempt refresh or retries.
 type StaticRoundTripper struct {
-	base  http.RoundTripper
-	token string
+	base   http.RoundTripper
+	tokens []string
+	idx    atomic.Uint64
 }
 
-func NewStaticRoundTripper(base http.RoundTripper, token string) *StaticRoundTripper {
+func NewStaticRoundTripper(base http.RoundTripper, rawToken string) *StaticRoundTripper {
 	if base == nil {
 		base = http.DefaultTransport
 	}
-	return &StaticRoundTripper{
-		base:  base,
-		token: token,
+	parts := strings.Split(rawToken, ",")
+	tokens := make([]string, 0, len(parts))
+	for _, t := range parts {
+		if t = strings.TrimSpace(t); t != "" {
+			tokens = append(tokens, t)
+		}
+	}
+	if len(tokens) == 0 {
+		tokens = []string{rawToken}
 	}
+	return &StaticRoundTripper{base: base, tokens: tokens}
 }
 
 func (rt *StaticRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// always overrides headers put by SetupAuthentication, to make sure the token is always injected
+	tok := rt.tokens[rt.idx.Add(1)%uint64(len(rt.tokens))]
 	reqClone := req.Clone(req.Context())
-	reqClone.Header.Set("Authorization", "Bearer "+rt.token)
+	reqClone.Header.Set("Authorization", "Bearer "+tok)
 	return rt.base.RoundTrip(reqClone)
 }
