@openneuro/server 4.35.0 → 4.36.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openneuro/server",
-  "version": "4.35.0",
+  "version": "4.36.0",
   "description": "Core service for the OpenNeuro platform.",
   "license": "MIT",
   "main": "src/server.js",
@@ -15,13 +15,13 @@
   },
   "author": "Squishymedia",
   "dependencies": {
-    "@apollo/client": "3.11.8",
-    "@apollo/server": "4.9.3",
+    "@apollo/client": "3.13.8",
+    "@apollo/server": "4.12.1",
     "@apollo/utils.keyvadapter": "3.0.0",
     "@elastic/elasticsearch": "8.13.1",
     "@graphql-tools/schema": "^10.0.0",
     "@keyv/redis": "^2.7.0",
-    "@openneuro/search": "^4.35.0",
+    "@openneuro/search": "^4.36.0",
     "@sentry/node": "^8.25.0",
     "@sentry/profiling-node": "^8.25.0",
     "base64url": "^3.0.0",
@@ -48,6 +48,7 @@
     "node-mailjet": "^3.3.5",
     "object-hash": "2.1.1",
     "passport": "0.7.0",
+    "passport-github2": "^0.1.12",
     "passport-google-oauth20": "2.0.0",
     "passport-jwt": "4.0.1",
     "passport-oauth2-refresh": "2.2.0",
@@ -85,5 +86,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "ce3f98fbbe9da0c9463dcae9fe6357c1000d0fa5"
+  "gitHead": "ac7fa1782779cfdf1f46c9a5add8865155177b99"
 }

package/src/config.ts

@@ -27,6 +27,10 @@ const config = {
       clientID: process.env.GLOBUS_CLIENT_ID,
       clientSecret: process.env.GLOBUS_CLIENT_SECRET,
     },
+    github: {
+      clientID: process.env.GITHUB_CLIENT_ID,
+      clientSecret: process.env.GITHUB_CLIENT_SECRET,
+    },
     jwt: {
       secret: process.env.JWT_SECRET,
     },

package/src/graphql/resolvers/__tests__/user.spec.ts

@@ -1,27 +1,352 @@
-import { vi } from "vitest"
+import {
+  afterAll,
+  beforeAll,
+  beforeEach,
+  describe,
+  expect,
+  it,
+  vi,
+} from "vitest"
+import { MongoMemoryServer } from "mongodb-memory-server"
+import mongoose, { Types } from "mongoose"
+import User from "../../../models/user"
 import { users } from "../user.js"
+import type { GraphQLContext } from "../user.js"
 
 vi.mock("ioredis")
 
+let mongod: MongoMemoryServer
+
+// Test data loaded before each test
+const testUsersSeedData = [
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f1"),
+    id: "u1",
+    email: "atest1@example.com",
+    name: "Alice Admin",
+    admin: true,
+    blocked: false,
+    migrated: false,
+    updatedAt: new Date("2023-01-05T00:00:00.000Z"),
+    providerId: "0000-0000-0000-0001",
+    provider: "orcid",
+    orcid: "0000-0000-0000-0001",
+  },
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f2"),
+    id: "u2",
+    email: "btest2@example.com",
+    name: "Test User",
+    admin: false,
+    blocked: false,
+    migrated: false,
+    updatedAt: new Date("2023-01-04T00:00:00.000Z"),
+    providerId: "google2",
+    provider: "google",
+  },
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f3"),
+    id: "u3",
+    email: "ctest3@example.com",
+    name: "Test User",
+    admin: false,
+    blocked: true,
+    migrated: false,
+    updatedAt: new Date("2023-01-03T00:00:00.000Z"),
+    providerId: "0000-0000-0000-0003",
+    provider: "orcid",
+  },
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f4"),
+    id: "u4",
+    email: "dtest4@example.com",
+    name: "Test Admin User",
+    admin: true,
+    blocked: true,
+    migrated: false,
+    updatedAt: new Date("2023-01-02T00:00:00.000Z"),
+    providerId: "0000-0000-0000-0004",
+    provider: "orcid",
+    orcid: "0000-0000-0000-0004",
+  },
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f5"),
+    id: "u5",
+    email: "etest2@example.com",
+    name: "Test User",
+    admin: false,
+    blocked: false,
+    migrated: true,
+    updatedAt: new Date("2023-01-04T00:00:00.000Z"),
+    providerId: "google2",
+    provider: "google",
+  },
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f6"),
+    id: "u6",
+    email: "ftest6@example.com",
+    name: "Test Admin User",
+    admin: true,
+    blocked: false,
+    migrated: false,
+    updatedAt: new Date("2023-01-06T00:00:00.000Z"),
+    providerId: "orcid6",
+    provider: "orcid",
+    orcid: "0000-0000-0000-0006",
+  }, // Most recent
+  {
+    _id: new Types.ObjectId("60f0f0f0f0f0f0f0f0f0f0f7"),
+    id: "u7",
+    email: "gtest7@example.com",
+    name: "Test User",
+    admin: false,
+    blocked: false,
+    migrated: false,
+    updatedAt: new Date("2023-01-05T00:00:00.000Z"),
+  }, // Same updatedAt as u1, for secondary sort testing
+]
+
+// Admin context for tests
+const adminContext: GraphQLContext = {
+  userInfo: { userId: "admin-user", admin: true, username: "adminUser" },
+}
+// Non-admin context for tests
+const nonAdminContext: GraphQLContext = {
+  userInfo: { userId: "normal-user", admin: false, username: "normalUser" },
+}
+
 describe("user resolvers", () => {
+  beforeAll(async () => {
+    mongod = await MongoMemoryServer.create()
+    const uri = mongod.getUri()
+    await mongoose.connect(uri)
+  })
+
+  afterAll(async () => {
+    await mongoose.disconnect()
+    await mongod.stop()
+  })
+
+  beforeEach(async () => {
+    await User.deleteMany({})
+    await User.insertMany(testUsersSeedData)
+  })
+
   describe("users()", () => {
-    it("throws an error for non-admins", () => {
-      expect(
-        users(
-          null,
-          { id: "3311cfe8-9764-434d-b80e-1b1ee72c686d" },
-          { userInfo: {} },
-        ),
-      ).rejects.toEqual(new Error("You must be a site admin to retrieve users"))
-    })
-    it("throws an error for non-admins", () => {
-      expect(
-        users(
-          null,
-          { id: "0000-0000-0000-000X" },
-          { userInfo: {} },
-        ),
-      ).rejects.toEqual(new Error("You must be a site admin to retrieve users"))
+    it("rejects data for non-admin context", async () => {
+      await expect(users(null, {}, nonAdminContext)).rejects.toThrow(
+        "You must be a site admin to retrieve users",
+      )
+    })
+
+    it("returns all non-migrated users by default, sorted by updatedAt desc then _id desc", async () => {
+      const result = await users(null, {}, adminContext)
+      // u5 is migrated. 6 non-migrated users: u1, u2, u3, u4, u6, u7
+      expect(result.users.length).toBe(6)
+      expect(result.totalCount).toBe(6)
+
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ updatedAt: -1, _id: -1 })
+        .exec()
+      const expectedIds = dbSortedUsers.map((u) => u.id)
+      expect(result.users.map((u) => u.id)).toEqual(expectedIds)
+      // Expected order based on seed data _ids: u6, u7, u1, u2, u3, u4
+      // (u7 _id > u1 _id, so u7 comes before u1 in _id desc sort when updatedAt is same)
+      expect(expectedIds).toEqual(["u6", "u7", "u1", "u2", "u3", "u4"])
+    })
+
+    it("handles pagination with limit", async () => {
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ updatedAt: -1, _id: -1 })
+        .exec()
+      const expectedLimitedIds = dbSortedUsers.slice(0, 2).map((u) => u.id)
+
+      const result = await users(null, { limit: 2 }, adminContext)
+      expect(result.users.length).toBe(2)
+      expect(result.totalCount).toBe(6)
+      expect(result.users.map((u) => u.id)).toEqual(expectedLimitedIds)
+    })
+
+    it("handles pagination with offset", async () => {
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ updatedAt: -1, _id: -1 })
+        .exec()
+      const expectedOffsetIds = dbSortedUsers.slice(4).map((u) => u.id) // Skips 4
+
+      const result = await users(null, { offset: 4 }, adminContext)
+      expect(result.users.length).toBe(2) // Total 6, offset 4, so 2 remaining
+      expect(result.totalCount).toBe(6)
+      expect(result.users.map((u) => u.id)).toEqual(expectedOffsetIds) // Should be ['u3', 'u4']
+    })
+
+    it("handles pagination with limit and offset", async () => {
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ updatedAt: -1, _id: -1 })
+        .exec()
+      const expectedPaginatedIds = dbSortedUsers.slice(1, 1 + 2).map((u) =>
+        u.id
+      ) // Skip 1, take 2
+
+      const result = await users(null, { limit: 2, offset: 1 }, adminContext)
+      expect(result.users.length).toBe(2)
+      expect(result.totalCount).toBe(6)
+      expect(result.users.map((u) => u.id)).toEqual(expectedPaginatedIds) // Should be ['u7', 'u1']
+    })
+
+    it("filters by isAdmin: true", async () => {
+      const result = await users(null, { isAdmin: true }, adminContext)
+      expect(result.users.length).toBe(3)
+      expect(result.totalCount).toBe(3)
+      const ids = result.users.map((u) => u.id)
+      expect(ids).toEqual(expect.arrayContaining(["u1", "u4", "u6"]))
+    })
+
+    it("filters by isAdmin: false", async () => {
+      const result = await users(null, { isAdmin: false }, adminContext)
+      expect(result.users.length).toBe(3)
+      expect(result.totalCount).toBe(3)
+      const ids = result.users.map((u) => u.id)
+      expect(ids).toEqual(expect.arrayContaining(["u2", "u3", "u7"]))
+    })
+
+    it("filters by isBlocked: true", async () => {
+      const result = await users(null, { isBlocked: true }, adminContext)
+      expect(result.users.length).toBe(2)
+      expect(result.totalCount).toBe(2)
+      const ids = result.users.map((u) => u.id)
+      expect(ids).toEqual(expect.arrayContaining(["u3", "u4"]))
+    })
+
+    it("filters by isBlocked: false", async () => {
+      const result = await users(null, { isBlocked: false }, adminContext)
+      // Not blocked (non-migrated): u1, u2, u6, u7 -> 4 users
+      expect(result.users.length).toBe(4)
+      expect(result.totalCount).toBe(4)
+      const ids = result.users.map((u) => u.id)
+      expect(ids).toEqual(expect.arrayContaining(["u1", "u2", "u6", "u7"]))
+    })
+
+    it("searches by name (case-insensitive, partial)", async () => {
+      const result = await users(null, { search: "Alice" }, adminContext)
+      expect(result.users.length).toBe(1)
+      expect(result.totalCount).toBe(1)
+      expect(result.users[0].id).toBe("u1")
+    })
+
+    it("searches by email (case-insensitive, partial)", async () => {
+      const result = await users(
+        null,
+        { search: "btest2@EXAMPLE" },
+        adminContext,
+      )
+      expect(result.users.length).toBe(1)
+      expect(result.totalCount).toBe(1)
+      expect(result.users[0].id).toBe("u2")
+    })
+
+    it("search returns empty if no match", async () => {
+      const result = await users(null, { search: "NoSuchUser" }, adminContext)
+      expect(result.users.length).toBe(0)
+      expect(result.totalCount).toBe(0)
+    })
+
+    it("combines search with other filters (e.g., isAdmin)", async () => {
+      await User.create({
+        _id: new Types.ObjectId(),
+        id: "u8",
+        email: "search_admin@example.com",
+        name: "Searchable Admin",
+        admin: true,
+        blocked: false,
+        migrated: false,
+        updatedAt: new Date("2023-01-07T00:00:00.000Z"),
+      })
+      // Search for "Admin" (matches u1 name, u6 name, u8 name) and isAdmin: true
+      const result = await users(
+        null,
+        { search: "Admin", isAdmin: true },
+        adminContext,
+      )
+      expect(result.users.length).toBe(4) // u1, u6, u8
+      expect(result.totalCount).toBe(4)
+      const ids = result.users.map((u) => u.id)
+      expect(ids).toEqual(expect.arrayContaining(["u1", "u6", "u8"]))
+    })
+
+    it("sorts by name ascending (with _id ascending as secondary)", async () => {
+      const result = await users(null, {
+        orderBy: [{ field: "name", order: "ascending" }],
+      }, adminContext)
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ name: 1, _id: 1 })
+        .exec()
+      expect(result.users.map((u) => u.id)).toEqual(
+        dbSortedUsers.map((u) => u.id),
+      )
+      // Expected: u1, u4, u6, u2, u3, u7
+      expect(dbSortedUsers.map((u) => u.id)).toEqual([
+        "u1",
+        "u4",
+        "u6",
+        "u2",
+        "u3",
+        "u7",
+      ])
+    })
+
+    it("sorts by email descending (with _id descending as secondary)", async () => {
+      const result = await users(null, {
+        orderBy: [{ field: "email", order: "descending" }],
+      }, adminContext)
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ email: -1, _id: -1 })
+        .exec()
+      expect(result.users.map((u) => u.id)).toEqual(
+        dbSortedUsers.map((u) => u.id),
+      )
+      // Expected: u7, u6, u4, u3, u2, u1
+      expect(dbSortedUsers.map((u) => u.id)).toEqual([
+        "u7",
+        "u6",
+        "u4",
+        "u3",
+        "u2",
+        "u1",
+      ])
+    })
+
+    it("handles multiple sort fields specified in orderBy (e.g. admin asc, name asc)", async () => {
+      const result = await users(null, {
+        orderBy: [
+          { field: "admin", order: "ascending" },
+          { field: "name", order: "ascending" },
+        ],
+      }, adminContext)
+      // Mongoose sort: { admin: 1, name: 1, _id: 1 } (since _id is added based on first sort field's order)
+      const dbSortedUsers = await User.find({ migrated: { $ne: true } })
+        .sort({ admin: 1, name: 1, _id: 1 })
+        .exec()
+      expect(result.users.map((u) => u.id)).toEqual(
+        dbSortedUsers.map((u) => u.id),
+      )
+      expect(dbSortedUsers.map((u) => u.id)).toEqual([
+        "u2",
+        "u3",
+        "u7",
+        "u1",
+        "u4",
+        "u6",
+      ])
+    })
+
+    it("correctly calculates totalCount regardless of pagination", async () => {
+      const result = await users(
+        null,
+        { isAdmin: true, limit: 1 },
+        adminContext,
+      )
+      expect(result.users.length).toBe(1)
+      expect(result.totalCount).toBe(3) // u1, u4, u6 are admins
     })
   })
 })

package/src/graphql/resolvers/comment.ts

@@ -105,7 +105,7 @@ export const deleteComment = async (
 const CommentFields = {
   parent: (obj) => comment(obj, { id: obj.parentId }),
   replies,
-  user: (obj) => user(obj, { id: obj.user._id }),
+  user: (obj) => user(obj, { id: obj.user._id }, null),
 }
 
 export default CommentFields

package/src/graphql/resolvers/dataset.ts

@@ -278,7 +278,7 @@ const worker = (obj) => getDatasetWorker(obj.id)
  * Dataset object
  */
 const Dataset = {
-  uploader: (ds) => user(ds, { id: ds.uploader }),
+  uploader: (ds, _, context) => user(ds, { id: ds.uploader }, context),
   draft: async (obj) => {
     const draftHead = await datalad.getDraftHead(obj.id)
     return {

package/src/graphql/resolvers/metadata.ts

@@ -27,7 +27,7 @@ export const metadata = async (
   // TODO - This could be a user object that is resolved with the full type instead of just email
   // Email matches the existing records however and the user object would require other changes
   const adminUsers = []
-  const { userPermissions } = await permissions(dataset)
+  const { userPermissions } = await permissions(dataset, null, context)
   for (const user of userPermissions) {
     if (user.level === "admin") {
       const userObj = await user.user

package/src/graphql/resolvers/permissions.ts

@@ -11,14 +11,14 @@ interface DatasetPermission {
   userPermissions: (PermissionDocument & { user: Promise<UserDocument> })[]
 }
 
-export async function permissions(ds): Promise<DatasetPermission> {
+export async function permissions(ds, _, context): Promise<DatasetPermission> {
   const permissions = await Permission.find({ datasetId: ds.id }).exec()
   return {
     id: ds.id,
     userPermissions: permissions.map(
       (userPermission) => ({
         ...userPermission.toJSON(),
-        user: user(ds, { id: userPermission.userId }),
+        user: user(ds, { id: userPermission.userId }, context),
       } as unknown as PermissionDocument & { user: Promise<UserDocument> }),
     ),
   }
@@ -28,13 +28,13 @@ const publishPermissions = async (datasetId) => {
   // Create permissionsUpdated object with DatasetPermissions in Dataset
   // and resolve all promises before publishing
   const ds = { id: datasetId }
-  const { id, userPermissions } = await permissions(ds)
+  const { id, userPermissions } = await permissions(ds, null, null)
   const permissionsUpdated = {
     id,
     userPermissions: await Promise.all(
       userPermissions.map(async (userPermission) => ({
         ...userPermission,
-        user: await user(ds, { id: userPermission.userId }),
+        user: await user(ds, { id: userPermission.userId }, null),
       })),
     ),
   }

package/src/graphql/resolvers/user.ts

@@ -2,29 +2,137 @@
  * User resolvers
  */
 import User from "../../models/user"
+
 function isValidOrcid(orcid: string): boolean {
   return /^[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{3}[0-9X]$/.test(orcid || "")
 }
 
-export const user = (obj, { id }) => {
+export async function user(obj, { id }, { userInfo }) {
+  let user
   if (isValidOrcid(id)) {
-    return User.findOne({
-      $or: [{ "orcid": id }, { "providerId": id }],
+    user = await User.findOne({
+      $or: [{ "provider": "orcid", "providerId": id }],
     }).exec()
   } else {
     // If it's not a valid ORCID, fall back to querying by user id
-    return User.findOne({ "id": id }).exec()
+    user = await User.findOne({ "id": id }).exec()
+  }
+  if (userInfo?.admin || user.id === userInfo?.id) {
+    return user.toObject()
+  } else {
+    const obj = user.toObject()
+    delete obj.email
+    return obj
   }
 }
 
-export const users = (obj, args, { userInfo }) => {
-  if (userInfo.admin) {
-    return User.find().exec()
-  } else {
+export interface UserInfo {
+  userId: string
+  admin: boolean
+  username?: string
+  provider?: string
+  providerId?: string
+  blocked?: boolean
+}
+
+export interface GraphQLContext {
+  userInfo: UserInfo | null
+}
+
+type MongoOperatorValue =
+  | string
+  | number
+  | boolean
+  | RegExp
+  | (string | number | boolean | RegExp)[]
+
+type MongoQueryOperator<T> = T | {
+  $ne?: T
+  $regex?: string
+  $options?: string
+  $gt?: T
+  $gte?: T
+  $lt?: T
+  $lte?: T
+  $in?: T[]
+}
+
+type MongoFilterValue =
+  | MongoOperatorValue
+  | MongoQueryOperator<MongoOperatorValue>
+
+interface MongoQueryCondition {
+  [key: string]: MongoFilterValue
+}
+export const users = async (
+  obj: unknown,
+  { isAdmin, isBlocked, search, limit = 100, offset = 0, orderBy }: {
+    isAdmin?: boolean
+    isBlocked?: boolean
+    search?: string
+    limit?: number
+    offset?: number
+    orderBy?: { field: string; order?: "ascending" | "descending" }[]
+  },
+  context: GraphQLContext,
+) => {
+  // --- check admin ---
+  if (!context.userInfo?.admin) {
     return Promise.reject(
       new Error("You must be a site admin to retrieve users"),
     )
   }
+
+  const filter: {
+    admin?: MongoQueryOperator<boolean>
+    blocked?: MongoQueryOperator<boolean>
+    migrated?: MongoQueryOperator<boolean>
+    $or?: MongoQueryCondition[]
+    name?: MongoQueryOperator<string | RegExp>
+    email?: MongoQueryOperator<string | RegExp>
+  } = {}
+
+  if (isAdmin !== undefined) filter.admin = isAdmin
+  if (isBlocked !== undefined) filter.blocked = isBlocked
+
+  filter.migrated = { $ne: true }
+
+  if (search) {
+    filter.$or = [
+      { name: { $regex: search, $options: "i" } },
+      { email: { $regex: search, $options: "i" } },
+    ]
+  }
+
+  let sort: Record<string, "asc" | "desc"> = {}
+  if (orderBy && orderBy.length > 0) {
+    orderBy.forEach((sortRule) => {
+      sort[sortRule.field] = sortRule.order
+        ? sortRule.order === "ascending" ? "asc" : "desc"
+        : "asc"
+    })
+
+    if (!sort._id) {
+      const primarySortOrder = sort[orderBy[0].field] || "asc"
+      sort._id = primarySortOrder
+    }
+  } else {
+    sort = { updatedAt: "desc", _id: "desc" }
+  }
+
+  const totalCount = await User.countDocuments(filter).exec()
+
+  let query = User.find(filter)
+  if (offset !== undefined) query = query.skip(offset)
+  if (limit !== undefined) query = query.limit(limit)
+  query = query.sort(sort)
+
+  const users = await query.exec()
+
+  return {
+    users: users,
+    totalCount: totalCount,
+  }
 }
 
 export const removeUser = (obj, { id }, { userInfo }) => {
@@ -89,7 +197,6 @@ const UserResolvers = {
   avatar: (obj) => obj.avatar,
   orcid: (obj) => obj.orcid,
   created: (obj) => obj.created,
-  modified: (obj) => obj.modified,
   lastSeen: (obj) => obj.lastSeen,
   email: (obj) => obj.email,
   name: (obj) => obj.name,
@@ -98,6 +205,7 @@ const UserResolvers = {
   location: (obj) => obj.location,
   institution: (obj) => obj.institution,
   links: (obj) => obj.links,
+  modified: (obj) => obj.updatedAt,
 }
 
 export default UserResolvers

package/src/graphql/schema.ts

@@ -26,6 +26,12 @@ export const typeDefs = `
     descending
   }
 
+  # Sorting order for users
+  input UserSortInput {
+    field: String!
+    order: SortOrdering = ascending 
+  }
+
   # Sorting order for datasets
   input DatasetSort {
     # Dataset created time
@@ -83,7 +89,14 @@ export const typeDefs = `
     # Get one user
     user(id: ID!): User
     # Get a list of users
-    users: [User]
+    users(
+      orderBy: [UserSortInput!]
+      isAdmin: Boolean
+      isBlocked: Boolean
+      search: String
+      limit: Int 
+      offset: Int 
+    ): UserList! 
     # Get the total number of dataset participants
     participantCount(modality: String): Int @cacheControl(maxAge: 3600, scope: PUBLIC)
     # Request one snapshot
@@ -331,9 +344,15 @@ export const typeDefs = `
     location: String
     institution: String
     github: String
+    githubSynced: Date
     links: [String]
   }
 
+  type UserList {
+    users: [User!]!
+    totalCount: Int!
+  }
+
   # Which provider a user login comes from
   enum UserProvider {
     google

package/src/libs/__tests__/github.spec.ts

@@ -0,0 +1,33 @@
+import type { Strategy as GitHubStrategy } from "passport-github2"
+import { vi } from "vitest"
+import passport from "passport"
+import { setupGitHubAuth } from "../authentication/github"
+
+// Mock the necessary modules
+vi.mock("../../models/user")
+vi.mock("../../config", () => ({
+  default: {
+    auth: {
+      github: {
+        clientID: "test-client-id",
+        clientSecret: "test-client-secret",
+      },
+      jwt: {
+        secret: "test-jwt-secret",
+      },
+    },
+    url: "http://localhost",
+    apiPrefix: "/api/",
+  },
+}))
+
+describe("GitHub OAuth Strategy", () => {
+  beforeAll(() => {
+    setupGitHubAuth()
+  })
+
+  it("should initialize GitHub strategy", () => {
+    const strategy = passport._strategies.github as GitHubStrategy
+    expect(strategy).toBeDefined()
+  })
+})

package/src/libs/authentication/github.ts

@@ -0,0 +1,185 @@
+import passport from "passport"
+import jwt from "jsonwebtoken"
+import { Strategy as GitHubStrategy } from "passport-github2"
+import config from "../../config"
+import User from "../../models/user"
+import * as Sentry from "@sentry/node"
+import { addJWT, jwtFromRequest } from "./jwt"
+import type { NextFunction, Request, Response } from "express"
+
+interface GitHubAuthInfo {
+  message?: string
+}
+
+interface GitHubUser {
+  _id: string
+  id: string
+  email?: string
+  name?: string
+  github?: string
+  avatar?: string
+  location?: string
+  institution?: string
+  links?: string[]
+  githubSynced?: Date
+}
+
+// Middleware to store last visited page before authentication
+export const storeRedirect = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  req.query.redirectTo = (req.get("Referer") || "/") as string
+  next()
+}
+
+export const setupGitHubAuth = () => {
+  if (!config.auth.github.clientID || !config.auth.github.clientSecret) return
+
+  const githubStrategy = new GitHubStrategy(
+    {
+      clientID: config.auth.github.clientID,
+      clientSecret: config.auth.github.clientSecret,
+      callbackURL: `${config.url + config.apiPrefix}auth/github/callback`,
+      scope: ["user:email", "read:user"],
+      passReqToCallback: true,
+    },
+    async (req, accessToken, refreshToken, profile, done) => {
+      try {
+        const token = jwtFromRequest(req)
+        const decoded = token ? jwt.verify(token, config.auth.jwt.secret) : null
+
+        if (!decoded || !decoded.sub) {
+          if (req.res) {
+            req.res.redirect("/error/github")
+          }
+          return done(new Error("No authenticated user found"), null)
+        }
+
+        const currentUser = await User.findOne({
+          id: decoded.sub,
+        })
+
+        if (!currentUser) {
+          if (req.res) {
+            req.res.redirect("/error/github")
+          }
+          return done(null, false, {
+            message: "Please login with your ORCID account",
+          })
+        }
+
+        // Updating GitHub info
+        currentUser.github = profile.username
+        currentUser.avatar = profile._json.avatar_url
+
+        if (!currentUser.location && profile._json.location) {
+          currentUser.location = profile._json.location
+        }
+        if (!currentUser.institution && profile._json.company) {
+          currentUser.institution = profile._json.company
+        }
+
+        // Ensure links array exists before adding GitHub profile URL
+        if (!currentUser.links) {
+          currentUser.links = []
+        }
+        if (
+          profile.profileUrl && !currentUser.links.includes(profile.profileUrl)
+        ) {
+          currentUser.links.push(profile.profileUrl)
+        }
+
+        currentUser.githubSynced = new Date()
+        await currentUser.save()
+        return done(null, addJWT(config)(currentUser.toObject()), {
+          message: "GitHub sync successful",
+        })
+      } catch (err) {
+        Sentry.captureException(err)
+        return done(err, null)
+      }
+    },
+  )
+
+  passport.use("github", githubStrategy)
+}
+
+const getStringFromQuery = (
+  query:
+    | string
+    | string[]
+    | Record<string, string | string[] | undefined>
+    | undefined,
+): string | undefined => {
+  if (typeof query === "string") {
+    return query
+  }
+  if (Array.isArray(query) && query.length > 0) {
+    return query[0]
+  }
+  return undefined
+}
+
+export const requestAuth = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  const redirectToParam = req.query.redirectTo as string | undefined // Explicit cast
+  const redirectToQuery: string | undefined = getStringFromQuery(
+    redirectToParam,
+  )
+  const redirectTo: string = redirectToQuery || "/"
+  passport.authenticate("github", {
+    state: encodeURIComponent(redirectTo),
+  })(req, res, next)
+}
+
+export const authCallback = (
+  req: Request,
+  res: Response,
+  next: NextFunction,
+) => {
+  passport.authenticate(
+    "github",
+    (err: Error | null, user: GitHubUser | false, info: GitHubAuthInfo) => {
+      const stateParam = req.query.state as string | undefined // Explicit cast
+      const stateQuery: string | undefined = getStringFromQuery(stateParam)
+      const redirectTo: string = stateQuery
+        ? decodeURIComponent(stateQuery)
+        : "/"
+
+      // Remove any existing query parameters
+      const cleanRedirectTo = redirectTo.split("?")[0]
+
+      if (err) {
+        Sentry.captureException(err)
+        return res.redirect(
+          `${cleanRedirectTo}?error=${
+            encodeURIComponent(
+              String(err?.message || "github_auth_failed"),
+            )
+          }`,
+        )
+      }
+
+      if (!user) {
+        Sentry.captureMessage(
+          `GitHub Auth Failed - Info: ${JSON.stringify(info)}`,
+          "warning",
+        )
+        return res.redirect(
+          `${cleanRedirectTo}?error=${
+            encodeURIComponent(
+              info?.message || "github_auth_failed",
+            )
+          }`,
+        )
+      }
+
+      return res.redirect(`${cleanRedirectTo}?success=github_auth_success`)
+    },
+  )(req, res, next)
+}

package/src/libs/authentication/orcid.ts

@@ -2,6 +2,7 @@ import passport from "passport"
 import { parsedJwtFromRequest } from "./jwt"
 import * as Sentry from "@sentry/node"
 import { userMigration } from "./user-migration"
+import User from "../../models/user"
 
 export const requestAuth = passport.authenticate("orcid", {
   session: false,
@@ -29,7 +30,7 @@ export function completeRequestLogin(req, res, next, user) {
 }
 
 export const authCallback = (req, res, next) =>
-  passport.authenticate("orcid", (err, user) => {
+  passport.authenticate("orcid", async (err, user) => {
     if (err) {
       Sentry.captureException(err)
       if (err.type) {
@@ -41,6 +42,19 @@ export const authCallback = (req, res, next) =>
     if (!user) {
       return res.redirect("/")
     }
+
+    try {
+      // adds new date for login/lastSeen
+      await User.findByIdAndUpdate(user._id, { lastSeen: new Date() })
+    } catch (error: unknown) {
+      if (error instanceof Error) {
+        Sentry.captureException(error)
+      } else {
+        Sentry.captureException(new Error(String(error)))
+      }
+      // Don't block the login flow
+    }
+
     // Google user
     const existingAuth = parsedJwtFromRequest(req)
     if (existingAuth) {

package/src/libs/authentication/passport.ts

@@ -8,10 +8,12 @@ import User from "../../models/user"
 import { encrypt } from "./crypto"
 import { addJWT, jwtFromRequest } from "./jwt"
 import orcid from "../orcid"
+import { setupGitHubAuth } from "./github"
 
 export const PROVIDERS = {
   GOOGLE: "google",
   ORCID: "orcid",
+  GITHUB: "github",
 }
 
 interface OauthProfile {
@@ -21,6 +23,7 @@ interface OauthProfile {
   providerId: string
   orcid?: string
   refresh?: string
+  avatar?: string
 }
 
 export const loadProfile = (profile): OauthProfile | Error => {
@@ -45,6 +48,13 @@ export const loadProfile = (profile): OauthProfile | Error => {
       orcid: profile.orcid,
       refresh: undefined,
     }
+  } else if (profile.provider === PROVIDERS.GITHUB) {
+    return {
+      email: profile.emails ? profile.emails[0].value : "",
+      name: profile.displayName || profile.username,
+      provider: profile.provider,
+      providerId: profile.id,
+    }
   } else {
     // Some unknown profile type
     return new Error("Unhandled profile type.")
@@ -110,11 +120,7 @@ export const setupPassportAuth = () => {
       { secretOrKey: config.auth.jwt.secret, jwtFromRequest },
       (jwt, done) => {
         if (jwt.scopes?.includes("dataset:indexing")) {
-          done(null, {
-            admin: false,
-            blocked: false,
-            indexer: true,
-          })
+          done(null, { admin: false, blocked: false, indexer: true })
         } else if (jwt.scopes?.includes("dataset:reviewer")) {
           done(null, {
             admin: false,
@@ -125,10 +131,9 @@ export const setupPassportAuth = () => {
         } else {
           // A user must already exist to use a JWT to auth a request
           User.findOne({ id: jwt.sub, provider: jwt.provider })
-            .then((user) => {
-              if (user) done(null, user.toObject())
-              else done(null, false)
-            })
+            .then((user) =>
+              user ? done(null, user.toObject()) : done(null, false)
+            )
             .catch(done)
         }
       },
@@ -168,4 +173,5 @@ export const setupPassportAuth = () => {
     )
     passport.use(PROVIDERS.ORCID, orcidStrategy)
   }
+  setupGitHubAuth()
 }

package/src/models/user.ts

@@ -30,6 +30,7 @@ export interface UserDocument extends Document {
   created: Date
   // Last time the user authenticated
   lastSeen: Date
+  // Location populated from User or Github
   location: string
   // Institution populated from ORCID
   institution: string
@@ -37,6 +38,12 @@ export interface UserDocument extends Document {
   github: string
   // User profile links
   links: string[]
+  // Added for Mongoose timestamps
+  updatedAt: Date
+  // Avatar populated from Github
+  avatar: string
+  // githubSynced populated from Github OAuth use
+  githubSynced: Date
 }
 
 const userSchema = new Schema({
@@ -49,6 +56,7 @@ const userSchema = new Schema({
   google: String, // Google ID if this is an ORCID account with a Google account linked
   migrated: { type: Boolean, default: false },
   refresh: String,
+  avatar: String,
   admin: { type: Boolean, default: false },
   blocked: { type: Boolean, default: false },
   created: { type: Date, default: Date.now },
@@ -56,8 +64,9 @@ const userSchema = new Schema({
   location: { type: String, default: "" },
   institution: { type: String, default: "" },
   github: { type: String, default: "" },
+  githubSynced: { type: Date },
   links: { type: [String], default: [] },
-})
+}, { timestamps: { createdAt: false, updatedAt: true } })
 
 userSchema.index({ id: 1, provider: 1 }, { unique: true })
 // Allow case-insensitive email queries

package/src/routes.ts

@@ -9,11 +9,13 @@ import * as subscriptions from "./handlers/subscriptions"
 import verifyUser from "./libs/authentication/verifyUser"
 import * as google from "./libs/authentication/google"
 import * as orcid from "./libs/authentication/orcid"
+import * as githubAuth from "./libs/authentication/github"
 import * as jwt from "./libs/authentication/jwt"
 import * as auth from "./libs/authentication/states"
 import * as doi from "./handlers/doi"
 import { sitemapHandler } from "./handlers/sitemap"
 import { reviewerHandler } from "./handlers/reviewer"
+import { storeRedirect } from "./libs/authentication/github"
 
 const noCache = (req, res, next) => {
   res.setHeader("Surrogate-Control", "no-store")
@@ -157,6 +159,21 @@ const routes = [
     middleware: [noCache, orcid.authCallback],
     handler: jwt.authSuccessHandler,
   },
+
+  // GitHub authentication route
+  {
+    method: "get",
+    url: "/auth/github",
+    middleware: [storeRedirect],
+    handler: githubAuth.requestAuth,
+  },
+
+  {
+    method: "get",
+    url: "/auth/github/callback",
+    handler: githubAuth.authCallback,
+  },
+
   // Anonymous reviewer access
   {
     method: "get",