feat: Config-driven opt-in authentication registry with multi-platform support

[Copilot]

Security-first authentication for catalog systems

No credentials are sent unless the user explicitly creates ~/.specify/auth.json mapping hosts to providers. This is a full opt-in model — without the config file, all HTTP requests are unauthenticated.

~/.specify/auth.json

{
  "providers": [
    {
      "hosts": ["github.com", "api.github.com", "raw.githubusercontent.com", "codeload.github.com"],
      "provider": "github",
      "auth": "bearer",
      "token_env": "GH_TOKEN"
    }
  ]
}

See docs/reference/authentication.md for full reference and template.

New: src/specify_cli/authentication/

src/specify_cli/authentication/
├── __init__.py      # AUTH_REGISTRY + _register / get_provider
├── base.py          # AuthProvider ABC (auth_headers, resolve_token)
├── config.py        # auth.json loader, validator, host matcher
├── http.py          # open_url / build_request with host matching,
│                    #   redirect stripping, provider fallthrough
├── github.py        # GitHubAuth — bearer scheme
└── azure_devops.py  # AzureDevOpsAuth — basic-pat, bearer, azure-cli, azure-ad

How it works

1. open_url() matches URL hostname against hosts in auth.json
2. Matching entry's provider resolves the token (token, token_env, or dynamic acquisition)
3. Provider builds the Authorization header (Bearer, Basic, etc.)
4. On 401/403, tries the next matching entry, then falls through to unauthenticated
5. On redirects, strips Authorization when leaving the entry's declared hosts

Providers and auth schemes

GitHub (github)

Scheme	Header	Use for
bearer	`Authorization: ******	PATs, fine-grained PATs, OAuth tokens, GitHub App tokens

Azure DevOps (azure-devops)

Scheme	Header	Use for
basic-pat	Authorization: Basic base64(:<PAT>)	Personal Access Tokens
bearer	`Authorization: ******	Pre-acquired OAuth / Azure AD tokens
azure-cli	`Authorization: ******	Token via az account get-access-token
azure-ad	`Authorization: ******	OAuth2 client credentials flow

Wiring

All HTTP request paths now go through authentication.http.open_url():

• ExtensionCatalog._open_url() / _make_request()
• PresetCatalog._open_url() / _make_request()
• IntegrationCatalog._fetch_single_catalog()
• WorkflowCatalog._fetch_single_catalog()
• _fetch_latest_release_tag() (with Accept: application/vnd.github+json)
• All --from-url download paths in CLI commands

Security hardening

• Host pattern validation — hosts entries in auth.json are now validated to only allow exact hostnames (e.g. github.com) or the constrained *.suffix wildcard form (e.g. *.visualstudio.com). Dangerous forms like *github.com — which fnmatch would match against github.com.evil.com, leaking credentials — are rejected with a ValueError at config-load time.
• Per-process config caching — _load_config() reads and validates auth.json at most once per process. Subsequent calls return the cached result, eliminating redundant I/O on every HTTP request. A warning about a malformed config file fires at most once.
• POSIX-only permission check — The world-readable file warning is skipped on Windows where POSIX mode bits are not meaningful.
• Resource cleanup — HTTPError responses are explicitly closed before retrying the next auth entry on 401/403, preventing connection leaks.
• Auth scheme validation derives from providers — The supported_auth_schemes check is derived from the registered provider rather than a separate static set, eliminating the risk of the two drifting out of sync.

Tests

1823+ total tests passing, including auth-specific tests covering:

• Config loading (valid configs, inline tokens, validation errors, permission warnings)
• Host pattern validation (dangerous wildcard rejection, valid *.suffix acceptance)
• Host matching (exact, wildcard, non-matching, lookalike hosts)
• Provider headers (bearer, basic-pat, unsupported scheme errors)
• Token resolution (env vars, inline, whitespace handling, missing)
• HTTP helpers (auth attachment, non-matching hosts, fallthrough on 401/403)
• Config caching (single load per process, warning fires once, override bypasses cache)
• Redirect stripping (within hosts preserved across multi-hop redirects, outside hosts stripped)
• Negative tests (500/404 raise immediately, URLError, timeout propagation)

[Copilot]

Pull request overview

Adds an authentication provider registry to support multiple platforms (GitHub + Azure DevOps) and refactors outbound HTTP calls to use shared authenticated helpers.

Changes:

• Introduces specify_cli.authentication registry + AuthProvider base, with GitHubAuth and AzureDevOpsAuth implementations.
• Adds authentication.http helpers (build_request, open_url) and refactors catalog/workflow fetching and release-tag checks to use them.
• Updates/expands tests to cover registry behavior, provider token resolution, and HTTP delegation.

Show a summary per file

File	Description
tests/test_presets.py	Updates auth-related request tests for new auth helper behavior.
tests/test_extensions.py	Updates auth-related request tests for new auth helper behavior.
tests/test_authentication.py	Adds comprehensive tests for registry, providers, and HTTP helper behavior.
tests/integrations/test_integration_catalog.py	Adjusts urlopen monkeypatching to target new auth HTTP module.
src/specify_cli/workflows/catalog.py	Switches catalog fetching to use authentication.http.open_url.
src/specify_cli/presets.py	Routes request/open helpers through new auth HTTP module.
src/specify_cli/integrations/catalog.py	Switches catalog fetching to use authentication.http.open_url.
src/specify_cli/extensions.py	Routes request/open helpers through new auth HTTP module.
src/specify_cli/authentication/http.py	Implements shared authenticated request building + retry/fallthrough behavior.
src/specify_cli/authentication/github.py	Adds GitHub token resolution + Bearer header construction.
src/specify_cli/authentication/base.py	Adds AuthProvider ABC with get_token, auth_headers, is_configured.
src/specify_cli/authentication/azure_devops.py	Adds Azure DevOps PAT/token resolution + Basic auth header construction.
src/specify_cli/authentication/init.py	Implements global provider registry + builtin registration.
src/specify_cli/init.py	Refactors _fetch_latest_release_tag() and URL-download paths to use open_url.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 14/14 changed files
• Comments generated: 7

[Copilot]

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 17/17 changed files
• Comments generated: 13

[Copilot]

The tables use leading double pipes (||) which creates an empty first column and is likely unintended / may break markdown rendering and linting. Consider converting these to standard markdown table syntax with single leading/trailing |.

[Copilot]

auth is validated against a global set, but the config doesn't validate that the selected provider actually supports the requested scheme (e.g., provider="github" + auth="basic-pat" would pass here but later raise at request time). Consider validating provider+scheme compatibility during load (using the provider registry) and raising a clear ValueError that points to the offending entry.

[Copilot]

There are several unused imports here (os, field, Any). They add noise and can fail strict linting; please remove them.

Suggested change

	import os
	import stat
	from dataclasses import dataclass, field
	from fnmatch import fnmatch
	from pathlib import Path
	from typing import Any
	import stat
	from dataclasses import dataclass
	from fnmatch import fnmatch
	from pathlib import Path

[Copilot]

extra_headers are merged after provider-generated auth headers in both build_request() and open_url(), which allows callers to override Authorization (accidentally or intentionally) and potentially bypass the configured provider behavior. Consider merging extra_headers first and then applying provider auth headers last, or explicitly rejecting/ignoring an Authorization key in extra_headers.

[Copilot]

tried is incremented but never read. This looks like leftover instrumentation; please remove it (or use it) to avoid dead code.

[Copilot]

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 17/17 changed files
• Comments generated: 4

[Copilot]

Copilot's findings

• Files reviewed: 19/19 changed files
• Comments generated: 5

[mnriem]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in commit 9024848:

1. http.py — exc.close() called before continue on 401/403 to release the response connection.
2. config.py — Removed _VALID_AUTH_SCHEMES frozenset and its pre-check entirely. Auth scheme validation now derives from the registered provider's supported_auth_schemes, eliminating the duplicate source of truth.
3. azure_devops.py — Added subprocess.TimeoutExpired to the exception handler in _acquire_via_az_cli() so timeouts fall back cleanly to None.
4. tests/test_authentication.py — Added @pytest.mark.skipif(os.name == "nt", ...) to test_world_readable_warns since POSIX permission bits aren't meaningful on Windows.
5. catalog.py — Removed the unused import urllib.request from _fetch_single_catalog().

[Copilot]

Copilot's findings

• Files reviewed: 19/19 changed files
• Comments generated: 2

[mnriem]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in commit ef5deb7:

1. __init__.py — Rate-limit message now uses the stable ~/.specify/auth.json form instead of the fully-expanded path. Removed the now-unused _default_config_path import.
2. config.py — World-readable permission check is now guarded with if os.name != "nt": so it's skipped entirely on Windows, where POSIX mode bits are unreliable.
3. tests/test_upgrade.py — Updated _RATE_LIMITED_REASON and assertion to match the new stable path form; removed the now-unused _default_config_path import.

[Copilot]

Copilot's findings

• Files reviewed: 19/19 changed files
• Comments generated: 2

[mnriem]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in commits dda6883 and 2cf2bd3:

1. config.py — Added _is_valid_host_pattern() that rejects dangerous wildcard forms. Only exact hostnames (e.g., github.com) or *.suffix forms (e.g., *.visualstudio.com) are accepted. Patterns like *github.com (which fnmatch would match against github.com.evil.com) now raise ValueError at config-load time, before any request is made.

2. http.py — Added _config_cache module variable. _load_config() now stores the first result (success or empty-on-error) and returns it on subsequent calls without re-reading the file. The "failed to load" warning fires at most once per process. When _config_override is set (test path), the cache is bypassed entirely.

3. tests/conftest.py — The autouse isolation fixture now also resets _config_cache to None per test.

4. tests/test_authentication.py — Added 6 new tests: dangerous wildcard rejection, multi-wildcard rejection, valid *.suffix acceptance, cache-after-first-load, override-bypasses-cache, and warning-fires-once-then-cached.