From 1265fa2d3b8720d1da0c5374f52dd6b75dae7de6 Mon Sep 17 00:00:00 2001
From: openhands <openhands@all-hands.dev>
Date: Sun, 22 Mar 2026 20:07:20 +0000
Subject: [PATCH] fix: preflight API check uses /user endpoint which requires
 read:user scope (#569)

Replace /api/v1/user with /api/v1/repos/{owner}/{repo} in three places:
- preflight_check() auth verification
- setup_codeberg_auth() --token flag verification
- setup_codeberg_auth() interactive flow verification

The repo endpoint only requires repo-level access, which matches the
scopes disinto actually needs (write:issue, write:repository). Tokens
without read:user scope now pass verification correctly.

Also use generic "token" as netrc login since the username is no longer
retrieved from the API (git operations authenticate via the token, not
the login field).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 bin/disinto | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/bin/disinto b/bin/disinto
index b78768a..eca1196 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -84,19 +84,20 @@ write_netrc() {
 # Args: [token_from_flag]
 setup_codeberg_auth() {
   local token_flag="${1:-}"
+  local repo_slug="${2:-}"
 
   # --token flag takes priority: verify and save
   if [ -n "$token_flag" ]; then
-    local login
-    login=$(curl -sf --max-time 10 \
+    local verify_url="https://codeberg.org/api/v1/repos/${repo_slug}"
+    if ! curl -sf --max-time 10 \
       -H "Authorization: token ${token_flag}" \
-      "https://codeberg.org/api/v1/user" | jq -r '.login') || {
+      "$verify_url" >/dev/null 2>&1; then
       echo "Error: provided token failed verification" >&2
       exit 1
-    }
-    write_netrc "$login" "$token_flag"
+    fi
+    write_netrc "token" "$token_flag"
     echo "Saving to ~/.netrc... done."
-    echo "Verified: logged in as ${login} ✓"
+    echo "Verified: token accepted ✓"
     export CODEBERG_TOKEN="$token_flag"
     return
   fi
@@ -138,12 +139,10 @@ setup_codeberg_auth() {
       continue
     fi
 
-    local login
-    login=$(curl -sf --max-time 10 \
+    local verify_url="https://codeberg.org/api/v1/repos/${repo_slug}"
+    if ! curl -sf --max-time 10 \
       -H "Authorization: token ${token_input}" \
-      "https://codeberg.org/api/v1/user" 2>/dev/null | jq -r '.login' 2>/dev/null) || login=""
-
-    if [ -z "$login" ]; then
+      "$verify_url" >/dev/null 2>&1; then
       echo "Token verification failed. Check your token and try again." >&2
       read -rp "Retry? [Y/n] " retry
       if [[ "$retry" =~ ^[Nn] ]]; then
@@ -153,9 +152,9 @@ setup_codeberg_auth() {
       continue
     fi
 
-    write_netrc "$login" "$token_input"
+    write_netrc "token" "$token_input"
     echo "Saving to ~/.netrc... done."
-    echo "Verified: logged in as ${login} ✓"
+    echo "Verified: token accepted ✓"
     export CODEBERG_TOKEN="$token_input"
     return
   done
@@ -163,6 +162,7 @@ setup_codeberg_auth() {
 
 # Preflight check — verify all factory requirements before proceeding.
 preflight_check() {
+  local repo_slug="${1:-}"
   local errors=0
 
   # ── Required commands ──
@@ -216,7 +216,7 @@ preflight_check() {
     else
       curl_args+=(--netrc)
     fi
-    if ! curl "${curl_args[@]}" "https://codeberg.org/api/v1/user" >/dev/null 2>&1; then
+    if ! curl "${curl_args[@]}" "https://codeberg.org/api/v1/repos/${repo_slug}" >/dev/null 2>&1; then
       echo "Error: Codeberg API auth failed" >&2
       echo "  Verify your CODEBERG_TOKEN or ~/.netrc credentials" >&2
       errors=$((errors + 1))
@@ -493,10 +493,10 @@ p.write_text(text)
   fi
 
   # Set up Codeberg auth (interactive if needed, before preflight)
-  setup_codeberg_auth "$token_flag"
+  setup_codeberg_auth "$token_flag" "$codeberg_repo"
 
   # Preflight: verify factory requirements
-  preflight_check
+  preflight_check "$codeberg_repo"
 
   # Determine repo root (for new projects)
   repo_root="${repo_root:-/home/${USER}/${project_name}}"