GitHub OAuth Security Enhancement

[ShashankFC]

Test 4

Summary by CodeRabbit

• New Features

  • Added OAuth-based GitHub login flow integration for seamless authentication

• Bug Fixes

  • Enhanced installation validation to prevent mismatches between authenticated users and installations
  • Improved error messaging and handling for invalid installation requests, conflicts, and pending deletions

• Tests

  • Expanded test coverage for GitHub installation flows and error scenarios

_{✏️ Tip: You can customize this high-level summary in your review settings.}

---

Replicated from ai-code-review-evaluation/sentry-coderabbit#4

[Copilot]

Pull request overview

This PR enhances GitHub OAuth integration security by implementing an OAuth-based login flow to validate installation requests and prevent unauthorized installations. The changes ensure that the GitHub user initiating the installation matches the user who authenticated, preventing potential security vulnerabilities where an attacker could hijack an installation process.

Changes:

• Added OAuth authentication step before GitHub app installation
• Implemented validation to verify the authenticated GitHub user matches the installation sender
• Consolidated error handling into reusable helper functions

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
src/sentry/integrations/github/integration.py	Added OAuth login view, user validation logic, and refactored error handling
src/sentry/web/frontend/pipeline_advancer.py	Simplified forward install check from list to direct comparison
tests/sentry/integrations/github/test_integration.py	Added comprehensive test coverage for OAuth flow and user mismatch scenarios

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Corrected capitalization of 'Github' to 'GitHub' to match the official brand name.

Suggested change

	error_short="Github installed on another Sentry organization.",
	error_short="GitHub installed on another Sentry organization.",

[Copilot]

The bare except Exception catches all exceptions without logging or providing specific error context. Consider logging the exception details before returning the generic error to aid in debugging OAuth token exchange failures.

Suggested change

	try:
	body = safe_urlread(req).decode("utf-8")
	payload = dict(parse_qsl(body))
	except Exception:
	body = ""
	try:
	body = safe_urlread(req).decode("utf-8")
	payload = dict(parse_qsl(body))
	except Exception as exc:
	logger.exception(
	"Failed to parse GitHub OAuth token exchange response",
	extra={"body": body},
	)

[Copilot]

The metadata access integration.metadata[\"sender\"][\"login\"] could raise a KeyError if the expected structure is missing. Add validation to check for the existence of these nested keys before accessing them to prevent potential crashes and improve error handling.

Suggested change

	if (
	pipeline.fetch_state("github_authenticated_user")
	!= integration.metadata["sender"]["login"]
	):
	metadata = integration.metadata or {}
	sender_login: str | None = None
	if isinstance(metadata, Mapping):
	sender = metadata.get("sender")
	if isinstance(sender, Mapping):
	sender_login = sender.get("login")
	if pipeline.fetch_state("github_authenticated_user") != sender_login:

[Copilot]

Using a magic number index responses.calls[2] makes the test fragile. If the number or order of API calls changes, this test will break unexpectedly. Consider using a more explicit approach, such as filtering calls by URL or adding a descriptive comment explaining why this is the third call.