Skip to main content

Get Current User

curl -X GET https://api.nectr.ai/auth/me \
  -H "Cookie: access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Returns the profile information for the currently authenticated user.

Authentication

Cookie
string
required
access_token - JWT token in httpOnly cookie (automatically sent by browsers)

Response

id
integer
Internal user ID
github_id
integer
GitHub user ID
github_username
string
GitHub username (login)
name
string | null
User’s full name from GitHub profile
email
string | null
User’s email address from GitHub
avatar_url
string | null
URL to the user’s GitHub avatar image
created_at
string
ISO 8601 timestamp of when the user was created in the system
{
  "id": 123,
  "github_id": 98765432,
  "github_username": "octocat",
  "name": "The Octocat",
  "email": "[email protected]",
  "avatar_url": "https://avatars.githubusercontent.com/u/98765432",
  "created_at": "2024-01-15T10:30:00.000Z"
}

Error Responses

401
error
Not authenticated - The access_token cookie is missing
401
error
Invalid or expired token - The JWT token is invalid, malformed, or expired
401
error
User not found - The user ID from the token doesn’t exist in the database

User Model

The User model represents an authenticated user in the system.

Database Schema

id
integer
required
Primary key, auto-incremented
github_id
integer
required
Unique GitHub user ID, indexed for fast lookups
github_username
string
required
GitHub username (login)
github_access_token
string
required
Encrypted GitHub OAuth access token. Encrypted using Fernet (AES-128-CBC + HMAC-SHA256) derived from SECRET_KEY.
email
string | null
User’s email address from GitHub. May be null if email is private.
avatar_url
string | null
URL to the user’s GitHub avatar image
name
string | null
User’s full name from GitHub profile
created_at
datetime
Timestamp when the user was created (UTC, with timezone)
updated_at
datetime
Timestamp when the user was last updated (UTC, with timezone)

Token Encryption

GitHub access tokens are encrypted at rest using symmetric encryption for security.

Implementation

Defined in app/auth/token_encryption.py: 
def encrypt_token(plaintext: str) -> str:
    """Encrypt a GitHub access token for storage."""
    f = _get_fernet()
    return f.encrypt(plaintext.encode()).decode()

Encryption Details

  • Algorithm: Fernet (AES-128-CBC + HMAC-SHA256)
  • Key Derivation: SHA-256 hash of SECRET_KEY, encoded as URL-safe base64
  • Security: Provides confidentiality and authenticity

Token Prefixes

The system recognizes these GitHub token prefixes for plaintext detection:
  • ghp_ - Personal access token
  • gho_ - OAuth access token
  • ghs_ - Server-to-server token
  • ghu_ - User access token
  • github_pat_ - Fine-grained personal access token

Migration Support

The decryption function gracefully handles legacy plaintext tokens. If a token cannot be decrypted but matches a GitHub token prefix, it’s returned as-is and a warning is logged. The token will be encrypted on the user’s next login.
If SECRET_KEY changes, all encrypted tokens become unreadable. Users must log out and sign in again to re-encrypt their tokens with the new key.

Build docs developers (and LLMs) love

Get started for freeTalk to us