feat(extensions,presets): authenticate GitHub-hosted catalog and download requests with GITHUB_TOKEN/GH_TOKEN

Squashed from #2087 (original author: @anasseth).

Adds GitHub-token authentication to extension and preset catalog fetching
and ZIP downloads so private GitHub repos work when GITHUB_TOKEN/GH_TOKEN
is set, while preventing credential leakage to non-GitHub hosts.

- Introduces shared _github_http module with build_github_request() and
  open_github_url() helpers
- Routes ExtensionCatalog and PresetCatalog network calls through
  GitHub-auth-aware opener
- Adds comprehensive unit/integration tests for auth header behavior
- Updates user docs for both extensions and presets

Co-authored-by: anasseth <16745089+anasseth@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

extensions/EXTENSION-USER-GUIDE.md

@@ -423,7 +423,7 @@ In addition to extension-specific environment variables (`SPECKIT_{EXT_ID}_*`),
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `SPECKIT_CATALOG_URL`       | Override the full catalog stack with a single URL (backward compat) | Built-in default stack |
-| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub API token for downloads     | None                  |
+| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub token for authenticated requests to GitHub-hosted URLs (`raw.githubusercontent.com`, `github.com`, `api.github.com`). Required when your catalog JSON or extension ZIPs are hosted in a private GitHub repository. | None |
 
 #### Example: Using a custom catalog for testing
 
@@ -435,6 +435,21 @@ export SPECKIT_CATALOG_URL="http://localhost:8000/catalog.json"
 export SPECKIT_CATALOG_URL="https://example.com/staging/catalog.json"
 ```
 
+#### Example: Using a private GitHub-hosted catalog
+
+```bash
+# Authenticate with a token (gh CLI, PAT, or GITHUB_TOKEN in CI)
+export GITHUB_TOKEN=$(gh auth token)
+
+# Search a private catalog added via `specify extension catalog add`
+specify extension search jira
+
+# Install from a private catalog
+specify extension add jira-sync
+```
+
+The token is attached automatically to requests targeting GitHub domains. Non-GitHub catalog URLs are always fetched without credentials.
+
 ---
 
 ## Extension Catalogs

presets/README.md

@@ -93,9 +93,25 @@ See [scaffold/](scaffold/) for a scaffold you can copy to create your own preset
 
 ## Environment Variables
 
-| Variable | Description |
-|----------|-------------|
-| `SPECKIT_PRESET_CATALOG_URL` | Override the catalog URL (replaces all defaults) |
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `SPECKIT_PRESET_CATALOG_URL` | Override the full catalog stack with a single URL (replaces all defaults) | Built-in default stack |
+| `GH_TOKEN` / `GITHUB_TOKEN` | GitHub token for authenticated requests to GitHub-hosted URLs (`raw.githubusercontent.com`, `github.com`, `api.github.com`). Required when your catalog JSON or preset ZIPs are hosted in a private GitHub repository. | None |
+
+#### Example: Using a private GitHub-hosted catalog
+
+```bash
+# Authenticate with a token (gh CLI, PAT, or GITHUB_TOKEN in CI)
+export GITHUB_TOKEN=$(gh auth token)
+
+# Search a private catalog added via `specify preset catalog add`
+specify preset search my-template
+
+# Install from a private catalog
+specify preset add my-template
+```
+
+The token is attached automatically to requests targeting GitHub domains. Non-GitHub catalog URLs are always fetched without credentials.
 
 ## Configuration Files
 

src/specify_cli/_github_http.py

@@ -0,0 +1,75 @@
+"""Shared GitHub-authenticated HTTP helpers.
+
+Used by both ExtensionCatalog and PresetCatalog to attach
+GITHUB_TOKEN / GH_TOKEN credentials to requests targeting
+GitHub-hosted domains, while preventing token leakage to
+third-party hosts on redirects.
+"""
+
+import os
+import urllib.request
+from urllib.parse import urlparse
+from typing import Dict
+
+# GitHub-owned hostnames that should receive the Authorization header.
+# Includes codeload.github.com because GitHub archive URL downloads
+# (e.g. /archive/refs/tags/<tag>.zip) redirect there and require auth
+# for private repositories.
+GITHUB_HOSTS = frozenset({
+    "raw.githubusercontent.com",
+    "github.com",
+    "api.github.com",
+    "codeload.github.com",
+})
+
+
+def build_github_request(url: str) -> urllib.request.Request:
+    """Build a urllib Request, adding a GitHub auth header when available.
+
+    Reads GITHUB_TOKEN or GH_TOKEN from the environment and attaches an
+    ``Authorization: token <value>`` header when the target hostname is one
+    of the known GitHub-owned domains. Non-GitHub URLs are returned as plain
+    requests so credentials are never leaked to third-party hosts.
+    """
+    headers: Dict[str, str] = {}
+    github_token = (os.environ.get("GITHUB_TOKEN") or "").strip()
+    gh_token = (os.environ.get("GH_TOKEN") or "").strip()
+    token = github_token or gh_token or None
+    hostname = (urlparse(url).hostname or "").lower()
+    if token and hostname in GITHUB_HOSTS:
+        headers["Authorization"] = f"token {token}"
+    return urllib.request.Request(url, headers=headers)
+
+
+class _StripAuthOnRedirect(urllib.request.HTTPRedirectHandler):
+    """Redirect handler that drops the Authorization header when leaving GitHub.
+
+    Prevents token leakage to CDNs or other third-party hosts that GitHub
+    may redirect to (e.g. S3 for release asset downloads, objects.githubusercontent.com).
+    Auth is preserved as long as the redirect target remains within GITHUB_HOSTS.
+    """
+
+    def redirect_request(self, req, fp, code, msg, headers, newurl):
+        new_req = super().redirect_request(req, fp, code, msg, headers, newurl)
+        if new_req is not None:
+            hostname = (urlparse(newurl).hostname or "").lower()
+            if hostname not in GITHUB_HOSTS:
+                new_req.headers.pop("Authorization", None)
+        return new_req
+
+
+def open_github_url(url: str, timeout: int = 10):
+    """Open a URL with GitHub auth, stripping the header on cross-host redirects.
+
+    When the request carries an Authorization header, a custom redirect
+    handler drops that header if the redirect target is not a GitHub-owned
+    domain, preventing token leakage to CDNs or other third-party hosts
+    that GitHub may redirect to (e.g. S3 for release asset downloads).
+    """
+    req = build_github_request(url)
+
+    if not req.get_header("Authorization"):
+        return urllib.request.urlopen(req, timeout=timeout)
+
+    opener = urllib.request.build_opener(_StripAuthOnRedirect)
+    return opener.open(req, timeout=timeout)

src/specify_cli/extensions.py

@@ -1539,6 +1539,22 @@ def _validate_catalog_url(self, url: str) -> None:
         if not parsed.netloc:
             raise ValidationError("Catalog URL must be a valid URL with a host.")
 
+    def _make_request(self, url: str):
+        """Build a urllib Request, adding a GitHub auth header when available.
+
+        Delegates to :func:`specify_cli._github_http.build_github_request`.
+        """
+        from specify_cli._github_http import build_github_request
+        return build_github_request(url)
+
+    def _open_url(self, url: str, timeout: int = 10):
+        """Open a URL with GitHub auth, stripping the header on cross-host redirects.
+
+        Delegates to :func:`specify_cli._github_http.open_github_url`.
+        """
+        from specify_cli._github_http import open_github_url
+        return open_github_url(url, timeout)
+
     def _load_catalog_config(self, config_path: Path) -> Optional[List[CatalogEntry]]:
         """Load catalog stack configuration from a YAML file.
 
@@ -1695,7 +1711,6 @@ def _fetch_single_catalog(self, entry: CatalogEntry, force_refresh: bool = False
         Raises:
             ExtensionError: If catalog cannot be fetched or has invalid format
         """
-        import urllib.request
         import urllib.error
 
         # Determine cache file paths (backward compat for default catalog)
@@ -1729,7 +1744,7 @@ def _fetch_single_catalog(self, entry: CatalogEntry, force_refresh: bool = False
 
         # Fetch from network
         try:
-            with urllib.request.urlopen(entry.url, timeout=10) as response:
+            with self._open_url(entry.url, timeout=10) as response:
                 catalog_data = json.loads(response.read())
 
             if "schema_version" not in catalog_data or "extensions" not in catalog_data:
@@ -1843,10 +1858,9 @@ def fetch_catalog(self, force_refresh: bool = False) -> Dict[str, Any]:
         catalog_url = self.get_catalog_url()
 
         try:
-            import urllib.request
             import urllib.error
 
-            with urllib.request.urlopen(catalog_url, timeout=10) as response:
+            with self._open_url(catalog_url, timeout=10) as response:
                 catalog_data = json.loads(response.read())
 
             # Validate catalog structure
@@ -1957,7 +1971,6 @@ def download_extension(self, extension_id: str, target_dir: Optional[Path] = Non
         Raises:
             ExtensionError: If extension not found or download fails
         """
-        import urllib.request
         import urllib.error
 
         # Get extension info from catalog
@@ -1997,7 +2010,7 @@ def download_extension(self, extension_id: str, target_dir: Optional[Path] = Non
 
         # Download the ZIP file
         try:
-            with urllib.request.urlopen(download_url, timeout=60) as response:
+            with self._open_url(download_url, timeout=60) as response:
                 zip_data = response.read()
 
             zip_path.write_bytes(zip_data)

src/specify_cli/presets.py

@@ -1542,6 +1542,22 @@ def _validate_catalog_url(self, url: str) -> None:
                 "Catalog URL must be a valid URL with a host."
             )
 
+    def _make_request(self, url: str):
+        """Build a urllib Request, adding a GitHub auth header when available.
+
+        Delegates to :func:`specify_cli._github_http.build_github_request`.
+        """
+        from specify_cli._github_http import build_github_request
+        return build_github_request(url)
+
+    def _open_url(self, url: str, timeout: int = 10):
+        """Open a URL with GitHub auth, stripping the header on cross-host redirects.
+
+        Delegates to :func:`specify_cli._github_http.open_github_url`.
+        """
+        from specify_cli._github_http import open_github_url
+        return open_github_url(url, timeout)
+
     def _load_catalog_config(self, config_path: Path) -> Optional[List[PresetCatalogEntry]]:
         """Load catalog stack configuration from a YAML file.
 
@@ -1724,10 +1740,7 @@ def _fetch_single_catalog(self, entry: PresetCatalogEntry, force_refresh: bool =
                 pass
 
         try:
-            import urllib.request
-            import urllib.error
-
-            with urllib.request.urlopen(entry.url, timeout=10) as response:
+            with self._open_url(entry.url, timeout=10) as response:
                 catalog_data = json.loads(response.read())
 
             if (
@@ -1820,10 +1833,7 @@ def fetch_catalog(self, force_refresh: bool = False) -> Dict[str, Any]:
                 pass
 
         try:
-            import urllib.request
-            import urllib.error
-
-            with urllib.request.urlopen(catalog_url, timeout=10) as response:
+            with self._open_url(catalog_url, timeout=10) as response:
                 catalog_data = json.loads(response.read())
 
             if (
@@ -1942,7 +1952,6 @@ def download_pack(
         Raises:
             PresetError: If pack not found or download fails
         """
-        import urllib.request
         import urllib.error
 
         pack_info = self.get_pack_info(pack_id)
@@ -1994,7 +2003,7 @@ def download_pack(
         zip_path = target_dir / zip_filename
 
         try:
-            with urllib.request.urlopen(download_url, timeout=60) as response:
+            with self._open_url(download_url, timeout=60) as response:
                 zip_data = response.read()
 
             zip_path.write_bytes(zip_data)