fix github oauth for private emails

app/clients/application_client.rb

@@ -14,6 +14,10 @@ class InternalError < Error; end
   BASE_URI = "https://example.org"
   NET_HTTP_ERRORS = [Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError]
 
+  def initialize(token: nil)
+    @token = token
+  end
+
   def default_headers
     {
       "Accept" => content_type,
@@ -78,9 +82,7 @@ def base_uri
     self.class::BASE_URI
   end
 
-  def token
-    raise NotImplementedError
-  end
+  attr_reader :token
 
   def make_request(klass:, path:, headers: {}, body: nil, query: nil, form_data: nil)
     raise ArgumentError, "Cannot pass both body and form_data" if body.present? && form_data.present?

app/clients/github/client.rb

@@ -2,10 +2,14 @@ module Github
   class Client < ApplicationClient
     BASE_URI = "https://api.github.com"
 
+    def initialize(token: ENV["RUBYVIDEO_GITHUB_TOKEN"])
+      super
+    end
+
     private
 
-    def token
-      ENV["RUBYVIDEO_GITHUB_TOKEN"]
+    def authorization_header
+      token ? {"Authorization" => "Bearer #{token}"} : {}
     end
 
     def content_type

app/clients/github/user_client.rb

@@ -7,5 +7,9 @@ def profile(username)
     def search(q, per_page: 10, page: 1)
       get("/search/users", query: {q: q, per_page: per_page, page: page})
     end
+
+    def emails
+      get("/user/emails")
+    end
   end
 end

app/controllers/sessions/omniauth_controller.rb

@@ -6,12 +6,12 @@ def create
     connected_account = ConnectedAccount.find_or_initialize_by(provider: omniauth.provider, uid: omniauth.uid)
 
     if connected_account.new_record?
-      @user = User.find_or_create_by(email: omniauth.info.email) do |user|
+      @user = User.find_or_create_by(email: github_email) do |user|
         user.password = SecureRandom.base58
         user.verified = true
       end
       connected_account.user = @user
-      connected_account.access_token = omniauth.credentials&.try(:token)
+      connected_account.access_token = token
       connected_account.username = omniauth.info&.try(:nickname)
       connected_account.save!
     else
@@ -34,12 +34,16 @@ def failure
 
   private
 
-  def redirect_to_path
-    query_params["redirect_to"] || root_path
+  def github_email
+    @github_email ||= omniauth.info.email || fetch_github_email(token)
   end
 
-  def user_params
-    {email: omniauth.info.email, password: SecureRandom.base58, verified: true}
+  def token
+    @token ||= omniauth.credentials.token
+  end
+
+  def redirect_to_path
+    query_params["redirect_to"] || root_path
   end
 
   def omniauth_params
@@ -53,4 +57,13 @@ def omniauth
   def query_params
     request.env["omniauth.params"]
   end
+
+  def fetch_github_email(oauth_token)
+    return unless oauth_token
+    response = Github::UserClient.new(token: oauth_token).emails
+
+    emails = response.parsed_body
+    primary_email = emails.find { |email| email.primary && email.verified }
+    primary_email&.email
+  end
 end

config/initializers/omniauth.rb

@@ -3,5 +3,5 @@
 
   github_client_id = Rails.application.credentials.dig(:github, :client_id) || ENV["GITHUB_CLIENT_ID"]
   github_client_secret = Rails.application.credentials.dig(:github, :client_secret) || ENV["GITHUB_CLIENT_SECRET"]
-  provider :github, github_client_id, github_client_secret, scope: "read:user,read:email"
+  provider :github, github_client_id, github_client_secret, scope: "read:user,user:email"
 end