security: ignore config.toml to prevent token leaks

security: add GitHub token format validation
security: add client-side rate limiting to update_all command
2026-03-23 17:52:14 +02:00 · 2026-03-23 17:51:50 +02:00 · 2026-03-23 17:51:50 +02:00
3 changed files with 30 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
 /target
 IMPLEMENTATION_PLAN.md
+
+# Config files that may contain GitHub tokens
+# Note: User config files are stored in platform-specific directories outside the repo
+# (e.g., ~/.config/gh-celebs/config.toml on Linux)
+# This prevents accidental commits if someone creates config.toml in the project root
+/config.toml
--- a/src/github.rs
+++ b/src/github.rs
@@ -11,6 +11,22 @@ pub struct GitHubClient {

 impl GitHubClient {
    pub fn new(token: Option<String>) -> Result<Self> {
+        // Validate token format if provided
+        if let Some(ref t) = token {
+            if !t.is_empty() {
+                // GitHub classic tokens start with 'ghp_'
+                // Fine-grained tokens start with 'github_pat_'
+                // OAuth tokens don't have a specific prefix
+                let is_valid_format = t.starts_with("ghp_") || 
+                                      t.starts_with("github_pat_") ||
+                                      t.len() >= 20; // Generic check for reasonable token length
+                
+                if !is_valid_format {
+                    anyhow::bail!("Invalid GitHub token format. Token should start with 'ghp_' (classic) or 'github_pat_' (fine-grained)");
+                }
+            }
+        }
+
        let mut headers = HeaderMap::new();
        headers.insert(USER_AGENT, HeaderValue::from_static("gh-celebs"));
        headers.insert(ACCEPT, HeaderValue::from_static("application/vnd.github.v3+json"));
--- a/src/search.rs
+++ b/src/search.rs
@@ -3,6 +3,8 @@ use crate::github::GitHubClient;
 use crate::models::{RateLimitInfo, Repo, SearchResponse, SearchResult};
 use anyhow::Result;
 use std::collections::HashMap;
+use std::time::Duration;
+use tokio::time::sleep;

 pub struct SearchEngine {
    db: Database,
@@ -105,6 +107,12 @@ impl SearchEngine {
            if last_rate_limit.remaining < 3 {
                println!("\nWarning: Rate limit running low ({} remaining)", last_rate_limit.remaining);
            }
+
+            // Client-side rate limiting: wait 3 seconds between requests
+            // This respects both anonymous (10/min = 6s) and authenticated (30/min = 2s) limits
+            if idx < total - 1 {
+                sleep(Duration::from_secs(3)).await;
+            }
        }

        println!("\n✓ Updated {} repositories", total);
Author	SHA1	Message	Date
Jonathan Agmon	23775e3c67	security: ignore config.toml to prevent token leaks	2026-03-23 17:52:14 +02:00
Jonathan Agmon	9b31be5457	security: add GitHub token format validation	2026-03-23 17:51:50 +02:00
Jonathan Agmon	1dbf7e33f9	security: add client-side rate limiting to update_all command	2026-03-23 17:51:50 +02:00