Using Lucia-auth/oauth how can i fetched the private email from github users?

[hansaskov]

I want to implement GitHub oauth with an email as the primary key, but the email field on the providerUser object is always null. Changing the githubAuth scope to include 'user:email' still results in the email field being null.

Searching for an answer lead me to the github docs and this stack overflow question that explains that the null email field that is returned to me is for the public email, and since my account has it hidden it will return null. To get the private email another api route has to be fetched from. That other route is

https://api.github.com/user/emails

If this is the case what should i do to fetched the private email for github users?

For refrence i am using Sveltekit and this is how i create a new user from the github callback.

// routes/api/oauth/github/+server.ts
const { existingUser, providerUser, createUser } = await githubAuth.validateCallback(code);

const getUser = async () => {
	if (existingUser) return existingUser;
	// create a new user if the user does not exist
	return await createUser({
		// attributes
		email: providerUser.email,
		email_verified: false
	});
};

The above code causes an error because the providerUser.email is null, below is all the fields for providerUser

{
  login: 'hansaskov',
  id: 70580312,
  node_id: 'MDQ6VXNlcjcwNgdadszEy',
  avatar_url: 'https://avatars.githubusercontent.com/u/70580312?v=4',
  gravatar_id: '',
  url: 'https://api.github.com/users/hansaskov',
  html_url: 'https://github.com/hansaskov',
  followers_url: 'https://api.github.com/users/hansaskov/followers',
  following_url: 'https://api.github.com/users/hansaskov/following{/other_user}',
  gists_url: 'https://api.github.com/users/hansaskov/gists{/gist_id}',
  starred_url: 'https://api.github.com/users/hansaskov/starred{/owner}{/repo}',
  subscriptions_url: 'https://api.github.com/users/hansaskov/subscriptions',
  organizations_url: 'https://api.github.com/users/hansaskov/orgs',
  repos_url: 'https://api.github.com/users/hansaskov/repos',
  events_url: 'https://api.github.com/users/hansaskov/events{/privacy}',
  received_events_url: 'https://api.github.com/users/hansaskov/received_events',
  type: 'User',
  site_admin: false,
  name: 'Hans Askov',
  company: null,
  blog: '',
  location: null,
  email: null,
  hireable: null,
  bio: null,
  twitter_username: null,
  public_repos: 8,
  public_gists: 0,
  followers: 0,
  following: 1,
  created_at: '2020-09-01T11:42:55Z',
  updated_at: '2023-05-01T08:26:51Z'
}

Here is how i initialize the githubAuth

// src/lib/server/lucia.ts
export const githubAuth = github(auth, {
	clientId: GITHUB_CLIENT_ID,
	clientSecret: GITHUB_CLIENT_SECRET,
	scope: ['user:email']
});

[pilcrowonpaper]

githubAuth.validateCallback returns a tokens property that includes an access token

[hansaskov]

That is true, but is it possible to use the internal Lucia functions instead of creating my own?

The functionality almost exist, but are not exported as an API. I would really like a generalized version of the getProviderUser function to be exported, so i could use it in my own program with the https://api.github.com/user/emails" url instead.

Here is a suggestion, change getProviderUser within the validateCallback to take arguments instead of hard coding them. The validateCallback could look like this:

validateCallback: async (code: string) => {
	const tokens = await getTokens(code);
	const providerUser = await getProvider<GithubUser>("https://api.github.com/user", "bearer", tokens.accessToken);
	const providerUserId = providerUser.id.toString();
	const providerAuth = await connectAuth(auth, PROVIDER_ID, providerUserId);
	return {
		...providerAuth,
		providerUser,
		tokens
	};
}

Where the previous named getProviderUser is now called getProvider and the only difference is the use of parameters

export const getProvider = async <T extends {}>(req_url: string, type: 'bearer' | 'basic', accessToken: string) => {
	const request = new Request(req_url, {
		headers: authorizationHeaders(type, accessToken)
	});
	return await handleRequest<T>(request);
};

I have a fork with this implemented and it allows me to do the following svelltekit app that is quite neat.

// routes/api/oauth/github/+server.ts

type GithubEmail = {
	email: string;
	verified: boolean;
	primary: boolean;
	visibility: string;
};

const { existingUser, providerUser, createUser } = await githubAuth.validateCallback(code);
const providerEmails = await getProvider<[GithubEmail]>("https://api.github.com/user/emails", "bearer", tokens.accessToken);

const getUser = async () => {
	if (existingUser) return existingUser;
	// create a new user if the user does not exist
	return await createUser({
		// attributes
		email: providerEmails.email,
		email_verified: false
	});
};

I see that many of the providers that you support follow the same structure. A lot of code could be removed by reusing the getProvider function