Authenticated API

[vedansh-5]

📌 Fixes

Implementing using of github personal tokens for authenticated api calls, limits now raised to 5000req/ip/hour.
Also added the steps on how to obtain the github personal tokens.

Fixes #105

📸 Screenshots / Demo (if UI-related)

Add screenshots, video, or link to deployed preview if applicable

---

✅ Checklist

• I’ve tested my changes locally
• I’ve added tests (if applicable)
• I’ve updated documentation (if applicable)
• My code follows the project’s code style guidelines

---

Summary by Sourcery

Add support for authenticated GitHub API calls using personal access tokens to increase rate limits, including UI enhancements for token input and visibility control, token persistence, and fallback for unauthenticated requests.

New Features:

• Allow users to input GitHub personal tokens for authenticated API requests.
• Add a visibility toggle with auto-hide behavior for the token input field.

Enhancements:

• Use stored tokens to set authorization headers for GitHub API calls and fallback to public requests when no token is provided.
• Persist and load the GitHub token across sessions via Chrome storage.

Documentation:

• Add steps in README to generate and configure a GitHub personal access token.

[sourcery-ai]

Reviewer's Guide

This PR adds support for GitHub personal access tokens to make authenticated API calls—with higher rate limits—by storing the token, branching AJAX requests to include authorization headers, providing a masked input with toggle controls in the popup UI, styling the token field, and updating documentation.

Sequence Diagram: Conditional GitHub API Call Logic

sequenceDiagram
    title Sequence Diagram: Conditional GitHub API Call Logic
    participant Script as "scrumHelper.js"
    participant Storage as "chrome.storage.local"
    participant GitHub as "GitHub API"

    Script->>Storage: get("githubToken")
    Storage-->>Script: githubToken (or null)
    alt Token is available
        Script->>GitHub: GET /search/issues (Authenticated with Authorization header)
    else Token is not available
        Script->>GitHub: GET /search/issues (Public unauthenticated call)
    end
    GitHub-->>Script: API Response

Loading

Class Diagram: Updates to JavaScript Modules for Token Authentication

classDiagram
    title Class Diagram: Updates to JavaScript Modules for Token Authentication

    class scrumHelper_js {
        +allIncluded() : void
        +fetchGithubData() : void
    }

    class popup_js {
        +handleTokenInputAndVisibility() : void
        +loadTokenFromStorage() : void
        +saveTokenToStorage() : void
    }

    class main_js {
        +handleBodyOnLoad() : void
        +handleGithubTokenChange() : void
    }

    class ChromeStorageService {
        <<External API>>
        +get(keys, callback) : void
        +set(items, callback) : void
    }

    scrumHelper_js ..> ChromeStorageService : uses
    popup_js ..> ChromeStorageService : uses
    main_js ..> ChromeStorageService : uses

Loading

File-Level Changes

Change	Details	Files
Implement token storage and conditional authenticated API calls in scrumHelper.js	Introduce githubToken variable and retrieve it from chrome.storage Wrap each GitHub AJAX request (issues, PR reviews, user data) in a token check Add Authorization and Accept headers when token is present Fallback to public requests when token is missing	src/scripts/scrumHelper.js
Add GitHub token input and visibility toggle in the popup UI	Insert password-type input and eye icon toggle button in popup.html Implement show/hide logic, auto-hide, and outside-click hide in popup.js Persist token value to chrome.storage on input and load existing token on init	src/popup.html src/scripts/popup.js
Handle token field in settings initialization and change events	Define githubTokenElement in main.js and read stored token on load Add keyup event listener to save token changes to storage	src/scripts/main.js
Style token input field and toggle controls in CSS	Define font, spacing, placeholder, and animation rules for #githubToken Style #toggleToken button, hover, dark mode, and remove default browser reveal icons	src/index.css
Update README with steps to generate and use GitHub personal tokens	Add instructions for navigating to GitHub settings, generating a classic token with no expiration, and storing it safely	README.md

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#105	The extension should use authenticated GitHub API requests, increasing the rate limit to 5000 requests per hour per IP.	✅
#105	The extension should provide a way for users to input and store their GitHub personal access tokens.	✅
#105	The extension should gracefully fall back to unauthenticated requests if a token is not provided.	✅

Possibly linked issues

• Implement use of authenticated GitHub API requests instead of public API requests. #105: PR implements authenticated API calls using GitHub tokens to resolve rate limit issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @vedansh-5 - I've reviewed your changes - here's some feedback:

• The AJAX calls for public vs authenticated requests are almost identical—consider refactoring them into a helper function to reduce duplication and simplify maintenance.
• The chrome.storage.local.get inside fetchGithubData is asynchronous and doesn’t block the immediate AJAX calls, so the token may not be set in time—restructure to await token retrieval before making requests.
• Debouncing or deferring chrome.storage.local.set on the token input (e.g. on blur or with a short timeout) would prevent excessive writes on every keystroke.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- The AJAX calls for public vs authenticated requests are almost identical—consider refactoring them into a helper function to reduce duplication and simplify maintenance.
- The chrome.storage.local.get inside fetchGithubData is asynchronous and doesn’t block the immediate AJAX calls, so the token may not be set in time—restructure to await token retrieval before making requests.
- Debouncing or deferring chrome.storage.local.set on the token input (e.g. on blur or with a short timeout) would prevent excessive writes on every keystroke.

## Individual Comments

### Comment 1
<location> `src/scripts/scrumHelper.js:192` </location>
<code_context>
-				writeGithubIssuesPrs();
-			},
-		});
+		if(githubToken){
+			console.log("Making authenticated API calls-fetch github Data");
+			$.ajax({
</code_context>

<issue_to_address>
Extract repeated AJAX logic into helper

Consider creating a utility function that takes the URL and callback, handling headers as needed, to avoid duplicating similar AJAX request logic.

Suggested implementation:

```javascript

		// Helper function to fetch GitHub data with authentication
		function fetchGithubData(url, successCallback, errorCallback) {
			$.ajax({
				dataType: 'json',
				type: 'GET',
				url: url,
				headers: {
					Authorization: `Bearer ${githubToken}`,
					Accept: 'application/vnd.github+json'
				},
				success: successCallback,
				error: errorCallback
			});
		}

		if(githubToken){
			console.log("Making authenticated API calls-fetch github Data");
			fetchGithubData(
				issueUrl,
				function(data) {
					// Place your success logic here
				},
				function(xhr, textStatus, errorThrown) {
					console.error('Error fetching GitHub data:', {
						status: xhr.status,

```

- You will need to move the helper function `fetchGithubData` to a suitable location if you want to reuse it elsewhere in the file.
- Replace other similar `$.ajax` calls for GitHub API requests with this helper for full deduplication.
- Move the original success logic from the previous `$.ajax` call into the `successCallback` function in the new usage.
</issue_to_address>

### Comment 2
<location> `src/scripts/main.js:211` </location>
<code_context>
 }
 enableToggleElement.addEventListener('change', handleEnableChange);
 githubUsernameElement.addEventListener('keyup', handleGithubUsernameChange);
+githubTokenElement.addEventListener('keyup', handleGithubTokenChange);
 projectNameElement.addEventListener('keyup', handleProjectNameChange);
 startingDateElement.addEventListener('change', handleStartingDateChange);
</code_context>

<issue_to_address>
Standardize on input vs keyup event

Consider using the `input` event here, as in `popup.js`, to ensure consistent UI behavior.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
githubTokenElement.addEventListener('keyup', handleGithubTokenChange);
=======
githubTokenElement.addEventListener('input', handleGithubTokenChange);
>>>>>>> REPLACE

</suggested_fix>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Preeti9764]

I have tested this, and it is correctly making authenticated calls using your personal classic GitHub token.

[vedansh-5]

@hpdang @mariobehling @Preeti9764 I have resolved the conflicts in this PR and moved the github Token input to settings. Please take a look whenever you can. Thanks!

[vedansh-5]

@hpdang Changes can be cleanly merged. Please take a look.
@Preeti9764 Could you take a look too?
Thanks!

[hpdang]

@vedansh-5 this looks good to me. I have the following suggestion:

In the Github Token Popup window, the 1st paragraph can be replaced with the following text if you think it makes sense:

Why is it recommended to add a GitHub token?
Scrum Helper works without a GitHub token, but adding a personal access token is recommended for a better experience. It raises your API limits, allows access to private repos (if permitted), and improves accuracy and speed. Tokens are stored securely and used only to fetch your git data. You can add one anytime in the extension settings.

[hpdang]

@Preeti9764 I'm not able to test with Outlook and Yahoo, could you please help to test this as well? Thank you.

[vedansh-5]

@Preeti9764 I'm not able to test with Outlook and Yahoo, could you please help to test this as well? Thank you.

Yahoo:

outlook:

As we can notice the subject is missing from yahoo, we have an existing issue for the same and #138 fixes it.
Thank you.

[Preeti9764]

@Preeti9764 I'm not able to test with Outlook and Yahoo, could you please help to test this as well? Thank you.

@hpdang @vedansh-5 I have reviewed this pr and tried using both type of tokens fine grained tokens as well as classic tokens , the authenticated request is correctly made for classic tokens and report is generated correctly at various email-clients , but for fine grained token the report is not generated, @vedansh-5 as per the note given both should work can you please tell the details how to use the fine grained token or only to use the classic (token ) , it would be good for user if you can modify the note and explanation more clearly . Thanks!

[vedansh-5]

@Preeti9764 I'm not able to test with Outlook and Yahoo, could you please help to test this as well? Thank you.

as per the note given both should work can you please tell the details how to use the fine grained token or only to use the classic (token ) , it would be good for user if you can modify the note and explanation more clearly . Thanks!

I have changed the note to use only classic token, authorization headers are enough to work with fine grained tokens too, but github uses specifically is:issues and is:pull-request in search queries with finegrained tokens so the fetching request returns a 422 error.
Given that classic tokens solves our initial problem of 60 requests per hour per ip, fine grained tokens are an overkill.
If we still want to add support for them, we can do so in another PR (we'll have to rework the fetching logic).
@hpdang This PR is ready from my side, please take a look whenever you can. Thanks!