feat: add support for GitHub enterprise

Author: zimbatm

README.md

@@ -9,7 +9,7 @@ to get those tokens in the right place.
 ## Features
 
 - OAuth device flow authentication (no manual token creation needed)
-- Support for multiple providers (GitHub and GitLab)
+- Support for multiple providers (GitHub, GitHub Enterprise, and GitLab)
 - Secure token storage in `~/.config/nix/nix.conf`
 - Token validation and status checking
 - Automatic backup creation before modifying configuration
@@ -73,12 +73,28 @@ Authenticate with GitLab:
 nix-auth login gitlab
 ```
 
+Authenticate with GitHub Enterprise or GitLab self-hosted:
+
+```bash
+# GitHub Enterprise
+nix-auth login github --host github.company.com --client-id <your-client-id>
+
+# GitLab self-hosted
+nix-auth login gitlab --host gitlab.company.com --client-id <your-application-id>
+```
+
 The tool will:
 1. Display a one-time code
 2. Open your browser to the provider's device authorization page
 3. Wait for you to authorize the application
 4. Save the token to `~/.config/nix/nix.conf`
 
+**Note for self-hosted instances**:
+- **GitHub Enterprise**: You'll need to create an OAuth App and provide the client ID via `--client-id`
+- **GitLab self-hosted**: You'll need to create an OAuth application and provide the client ID via `--client-id`
+
+The tool will guide you through this process if the client ID is not provided. You can also set the `GITHUB_CLIENT_ID` or `GITLAB_CLIENT_ID` environment variables as an alternative to the `--client-id` flag.
+
 ### Check Status
 
 View all configured tokens:
@@ -95,19 +111,25 @@ Remove a token interactively:
 nix-auth logout
 ```
 
-Or remove a specific provider's token:
+Remove a specific provider's token:
 
 ```bash
 nix-auth logout github
 ```
 
+Remove a token for a specific host:
+
+```bash
+nix-auth logout --host github.company.com
+```
+
 ## How It Works
 
 The tool manages the `access-tokens` configuration in your `~/.config/nix/nix.conf` file. This allows Nix to authenticate when fetching flake inputs from private repositories or builtins fetchers, and hitting rate limits.
 
 Example configuration added by this tool:
 ```
-access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxxx
+access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxxx github.company.com=ghp_yyyyyyyy
 ```
 
 ## Security
@@ -119,7 +141,7 @@ access-tokens = github.com=ghp_xxxxxxxxxxxxxxxxxxxx gitlab.com=glpat-xxxxxxxxxxx
 
 ## Future Plans
 
-- Support for more providers; Gitea / Forgego / GitHub Enterprise / ...
+- Support for more providers (Gitea, Forgejo, Bitbucket, etc.)
 - Token expiration notifications
 - Integration with system keychains for secure storage (will require patching
     Nix)

cmd/login.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 
 	"github.com/numtide/nix-auth/internal/config"
@@ -16,19 +17,22 @@ var loginCmd = &cobra.Command{
 	Short: "Authenticate with a provider and save the access token",
 	Long: `Authenticate with a provider (GitHub, GitLab, etc.) using OAuth device flow
 and save the access token to your nix.conf for use with Nix flakes.`,
-	Example: `  nix-auth login          # defaults to GitHub
+	Example: `  nix-auth login                      # defaults to GitHub
   nix-auth login github
-  nix-auth login gitlab`,
+  nix-auth login gitlab
+  nix-auth login github --host github.company.com --client-id abc123`,
 	Args: cobra.MaximumNArgs(1),
 	RunE: runLogin,
 }
 
 var (
-	loginHost string
+	loginHost     string
+	loginClientID string
 )
 
 func init() {
 	loginCmd.Flags().StringVar(&loginHost, "host", "", "Custom host (e.g., github.company.com)")
+	loginCmd.Flags().StringVar(&loginClientID, "client-id", "", "OAuth client ID (required for self-hosted instances)")
 }
 
 func runLogin(cmd *cobra.Command, args []string) error {
@@ -48,11 +52,25 @@ func runLogin(cmd *cobra.Command, args []string) error {
 	host := prov.Host()
 	if loginHost != "" {
 		host = loginHost
-		// Set custom host for GitLab provider
-		if gitlabProv, ok := prov.(*provider.GitLabProvider); ok {
-			gitlabProv.SetHost(host)
+	}
+
+	// Always set the host (even if it's the default)
+	prov.SetHost(host)
+
+	// Set client ID: use flag, fallback to environment variable
+	clientID := loginClientID
+	if clientID == "" {
+		// Check provider-specific environment variable
+		switch providerName {
+		case "github":
+			clientID = os.Getenv("GITHUB_CLIENT_ID")
+		case "gitlab":
+			clientID = os.Getenv("GITLAB_CLIENT_ID")
 		}
 	}
+	if clientID != "" {
+		prov.SetClientID(clientID)
+	}
 
 	fmt.Printf("Authenticating with %s (%s)...\n", prov.Name(), host)
 

internal/provider/device_flow.go

@@ -32,4 +32,3 @@ func ShowWaitingMessage() {
 	fmt.Println()
 	fmt.Println("Waiting for authorization...")
 }
-

internal/provider/github.go

@@ -14,21 +14,55 @@ func init() {
 	Register("github", &GitHubProvider{})
 }
 
-type GitHubProvider struct{}
+type GitHubProvider struct {
+	host     string
+	clientID string
+}
+
+// SetHost sets a custom host for the GitHub provider
+func (g *GitHubProvider) SetHost(host string) {
+	g.host = host
+}
+
+// SetClientID sets a custom OAuth client ID for the GitHub provider
+func (g *GitHubProvider) SetClientID(clientID string) {
+	g.clientID = clientID
+}
+
+// getBaseURL returns the base URL for web URLs
+func (g *GitHubProvider) getBaseURL() string {
+	if g.host != "" && g.host != "github.com" {
+		return fmt.Sprintf("https://%s", g.host)
+	}
+	return "https://github.com"
+}
+
+// getAPIURL returns the base URL for API calls
+func (g *GitHubProvider) getAPIURL() string {
+	if g.host != "" && g.host != "github.com" {
+		// GitHub Enterprise uses {host}/api/v3
+		return fmt.Sprintf("https://%s/api/v3", g.host)
+	}
+	// GitHub.com uses api.github.com
+	return "https://api.github.com"
+}
 
 // makeGitHubAPIRequest is a helper function to make authenticated requests to GitHub API
 func (g *GitHubProvider) makeGitHubAPIRequest(ctx context.Context, token string, endpoint string) (*http.Response, error) {
 	headers := map[string]string{
 		"Accept": "application/vnd.github.v3+json",
 	}
-	return makeAuthenticatedRequest(ctx, "GET", endpoint, token, "token "+token, headers)
+	return makeAuthenticatedRequest(ctx, "GET", endpoint, "token "+token, headers)
 }
 
 func (g *GitHubProvider) Name() string {
 	return "github"
 }
 
 func (g *GitHubProvider) Host() string {
+	if g.host != "" {
+		return g.host
+	}
 	return "github.com"
 }
 
@@ -38,13 +72,35 @@ func (g *GitHubProvider) GetScopes() []string {
 }
 
 func (g *GitHubProvider) Authenticate(ctx context.Context) (string, error) {
-	clientID := "178c6fc778ccc68e1d6a" // GitHub CLI's client ID - widely used for CLI tools
-	scopes := g.GetScopes()
+	clientID := g.clientID
+	if clientID == "" {
+		if g.host == "github.com" || g.host == "" {
+			clientID = "178c6fc778ccc68e1d6a" // GitHub CLI's client ID - widely used for CLI tools
+		} else {
+			// Provide instructions for creating an OAuth app
+			fmt.Println("GitHub Enterprise OAuth authentication requires a Client ID.")
+			fmt.Println("\nTo create one:")
+			fmt.Printf("1. Go to %s/settings/applications/new\n", g.getBaseURL())
+			fmt.Println("2. Create a new OAuth App with:")
+			fmt.Println("   - Application name: nix-auth (or any name you prefer)")
+			fmt.Println("   - Homepage URL: https://github.com/numtide/nix-auth")
+			fmt.Println("   - Authorization callback URL: http://127.0.0.1/callback")
+			fmt.Println("3. After creating, copy the Client ID")
+			fmt.Println("\nThen run:")
+			fmt.Printf("  nix-auth login github --host %s --client-id <your-client-id>\n", g.host)
+			fmt.Println("\nOr set the GITHUB_CLIENT_ID environment variable:")
+			fmt.Println("  export GITHUB_CLIENT_ID=<your-client-id>")
+			fmt.Printf("  nix-auth login github --host %s\n", g.host)
+			return "", fmt.Errorf("client ID required for GitHub Enterprise (use --client-id flag or GITHUB_CLIENT_ID env var)")
+		}
+	}
 
+	scopes := g.GetScopes()
 	httpClient := &http.Client{}
 
 	// Request device code
-	code, err := device.RequestCode(httpClient, "https://github.com/login/device/code", clientID, scopes)
+	deviceCodeURL := fmt.Sprintf("%s/login/device/code", g.getBaseURL())
+	code, err := device.RequestCode(httpClient, deviceCodeURL, clientID, scopes)
 	if err != nil {
 		return "", fmt.Errorf("failed to request device code: %w", err)
 	}
@@ -54,7 +110,8 @@ func (g *GitHubProvider) Authenticate(ctx context.Context) (string, error) {
 	ShowWaitingMessage()
 
 	// Wait for user to authorize
-	accessToken, err := device.Wait(ctx, httpClient, "https://github.com/login/oauth/access_token", device.WaitOptions{
+	accessTokenURL := fmt.Sprintf("%s/login/oauth/access_token", g.getBaseURL())
+	accessToken, err := device.Wait(ctx, httpClient, accessTokenURL, device.WaitOptions{
 		ClientID:   clientID,
 		DeviceCode: code,
 	})
@@ -66,7 +123,8 @@ func (g *GitHubProvider) Authenticate(ctx context.Context) (string, error) {
 }
 
 func (g *GitHubProvider) ValidateToken(ctx context.Context, token string) error {
-	resp, err := g.makeGitHubAPIRequest(ctx, token, "https://api.github.com/user")
+	userURL := fmt.Sprintf("%s/user", g.getAPIURL())
+	resp, err := g.makeGitHubAPIRequest(ctx, token, userURL)
 	if err != nil {
 		return fmt.Errorf("failed to validate token: %w", err)
 	}
@@ -76,7 +134,8 @@ func (g *GitHubProvider) ValidateToken(ctx context.Context, token string) error
 }
 
 func (g *GitHubProvider) GetUserInfo(ctx context.Context, token string) (username, fullName string, err error) {
-	resp, err := g.makeGitHubAPIRequest(ctx, token, "https://api.github.com/user")
+	userURL := fmt.Sprintf("%s/user", g.getAPIURL())
+	resp, err := g.makeGitHubAPIRequest(ctx, token, userURL)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to get user info: %w", err)
 	}
@@ -95,7 +154,8 @@ func (g *GitHubProvider) GetUserInfo(ctx context.Context, token string) (usernam
 }
 
 func (g *GitHubProvider) GetTokenScopes(ctx context.Context, token string) ([]string, error) {
-	resp, err := g.makeGitHubAPIRequest(ctx, token, "https://api.github.com/user")
+	userURL := fmt.Sprintf("%s/user", g.getAPIURL())
+	resp, err := g.makeGitHubAPIRequest(ctx, token, userURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check token scopes: %w", err)
 	}

internal/provider/gitlab.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"os"
 	"strings"
 	"time"
 )
@@ -16,14 +15,20 @@ func init() {
 }
 
 type GitLabProvider struct {
-	host string
+	host     string
+	clientID string
 }
 
 // SetHost sets a custom host for the GitLab provider
 func (g *GitLabProvider) SetHost(host string) {
 	g.host = host
 }
 
+// SetClientID sets a custom OAuth client ID for the GitLab provider
+func (g *GitLabProvider) SetClientID(clientID string) {
+	g.clientID = clientID
+}
+
 // getBaseURL returns the base URL for API calls
 func (g *GitLabProvider) getBaseURL() string {
 	if g.host != "" && g.host != "gitlab.com" {
@@ -59,7 +64,7 @@ func (g *GitLabProvider) makeGitLabAPIRequest(ctx context.Context, token string,
 	headers := map[string]string{
 		"Accept": "application/json",
 	}
-	return makeAuthenticatedRequest(ctx, "GET", endpoint, token, "Bearer "+token, headers)
+	return makeAuthenticatedRequest(ctx, "GET", endpoint, "Bearer "+token, headers)
 }
 
 func (g *GitLabProvider) Name() string {
@@ -79,8 +84,7 @@ func (g *GitLabProvider) GetScopes() []string {
 }
 
 func (g *GitLabProvider) Authenticate(ctx context.Context) (string, error) {
-	// Check for GitLab client ID in environment
-	clientID := os.Getenv("GITLAB_CLIENT_ID")
+	clientID := g.clientID
 	if clientID == "" {
 		if g.host == "gitlab.com" || g.host == "" {
 			// FIXME: taken from https://gitlab.com/gitlab-org/cli/-/issues/1338
@@ -97,9 +101,11 @@ func (g *GitLabProvider) Authenticate(ctx context.Context) (string, error) {
 			fmt.Println("   - Scopes: ☑ read_api")
 			fmt.Println("3. Copy the Application ID")
 			fmt.Println("\nThen run:")
+			fmt.Printf("  nix-auth login gitlab --host %s --client-id <your-application-id>\n", g.host)
+			fmt.Println("\nOr set the GITLAB_CLIENT_ID environment variable:")
 			fmt.Println("  export GITLAB_CLIENT_ID=<your-application-id>")
-			fmt.Println("  nix-auth login gitlab")
-			return "", fmt.Errorf("GITLAB_CLIENT_ID environment variable not set")
+			fmt.Printf("  nix-auth login gitlab --host %s\n", g.host)
+			return "", fmt.Errorf("client ID required for GitLab self-hosted (use --client-id flag or GITLAB_CLIENT_ID env var)")
 		}
 	}
 

internal/provider/http_client.go

@@ -8,7 +8,7 @@ import (
 
 // makeAuthenticatedRequest creates and executes an authenticated HTTP request
 // with common error handling for authentication providers
-func makeAuthenticatedRequest(ctx context.Context, method, url, token, authHeader string, headers map[string]string) (*http.Response, error) {
+func makeAuthenticatedRequest(ctx context.Context, method, url, authHeader string, headers map[string]string) (*http.Response, error) {
 	req, err := http.NewRequestWithContext(ctx, method, url, nil)
 	if err != nil {
 		return nil, err
@@ -40,4 +40,3 @@ func makeAuthenticatedRequest(ctx context.Context, method, url, token, authHeade
 		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
 	}
 }
-

internal/provider/provider.go

@@ -10,6 +10,12 @@ type Provider interface {
 	// Host returns the default host for this provider
 	Host() string
 
+	// SetHost sets a custom host for this provider
+	SetHost(host string)
+
+	// SetClientID sets a custom OAuth client ID for this provider
+	SetClientID(clientID string)
+
 	// Authenticate performs the OAuth flow and returns an access token
 	Authenticate(ctx context.Context) (string, error)