From 814cee8a77344f5e2cb23d9f9c18c3b71ebb5c6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Tron=C3=AD=C4=8Dek?= <filip@gitpod.io>
Date: Tue, 17 Dec 2024 08:39:48 +0000
Subject: [PATCH 1/2] [server] fix private GitHub avatars

---
 components/server/src/github/github-auth-provider.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/components/server/src/github/github-auth-provider.ts b/components/server/src/github/github-auth-provider.ts
index 03eaa82eb620d6..c41724fd16ace3 100644
--- a/components/server/src/github/github-auth-provider.ts
+++ b/components/server/src/github/github-auth-provider.ts
@@ -99,6 +99,13 @@ export class GitHubAuthProvider extends GenericAuthProvider {
                 data: { id, login, avatar_url, name, company, created_at },
                 headers,
             } = currentUser;
+            const publicAvatarURL = new URL(avatar_url);
+            if (publicAvatarURL.host === "private-avatars.githubusercontent.com") {
+                // github has recently been rolling out private JWT-signed avatar URLs which expire after a short time
+                // we need to use the public avatar URL instead so that the avatar is displayed correctly and fits into our database (which is capped at 255 chars)
+                publicAvatarURL.host = "avatars.githubusercontent.com";
+                publicAvatarURL.search = "";
+            }
 
             // https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
             // e.g. X-OAuth-Scopes: repo, user
@@ -125,7 +132,7 @@ export class GitHubAuthProvider extends GenericAuthProvider {
                 authUser: {
                     authId: String(id),
                     authName: login,
-                    avatarUrl: avatar_url,
+                    avatarUrl: publicAvatarURL.toString(),
                     name,
                     primaryEmail: filterPrimaryEmail(userEmails),
                     company,

From 240d9b07c79e14cba7db82d3747f6f5101fcb80b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Tron=C3=AD=C4=8Dek?= <filip@gitpod.io>
Date: Tue, 17 Dec 2024 09:05:02 +0000
Subject: [PATCH 2/2] Improve comment and don't delete all search params

---
 components/server/src/github/github-auth-provider.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/server/src/github/github-auth-provider.ts b/components/server/src/github/github-auth-provider.ts
index c41724fd16ace3..4475b21f3be37d 100644
--- a/components/server/src/github/github-auth-provider.ts
+++ b/components/server/src/github/github-auth-provider.ts
@@ -102,9 +102,9 @@ export class GitHubAuthProvider extends GenericAuthProvider {
             const publicAvatarURL = new URL(avatar_url);
             if (publicAvatarURL.host === "private-avatars.githubusercontent.com") {
                 // github has recently been rolling out private JWT-signed avatar URLs which expire after a short time
-                // we need to use the public avatar URL instead so that the avatar is displayed correctly and fits into our database (which is capped at 255 chars)
+                // we need to use the public avatar URL instead so that the avatar is displayed correctly and fits into our database column (which is capped at 255 chars)
                 publicAvatarURL.host = "avatars.githubusercontent.com";
-                publicAvatarURL.search = "";
+                publicAvatarURL.searchParams.delete("jwt");
             }
 
             // https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/