Github rate limit exceeded when pulling Bolt templates

[radumalica]

Describe the bug

If connecting to local Bolt from the same public IP and if you previously accessed GH API with non-authed requests , the limit is 60 reqs per minute, and pulling the templates from gh/thecodacus will throw a "rate limit exceeded" from Github

problem is, setting VITE_GITHUB_ACCESS_TOKEN doesn't work, it should as per selectStarterTemplate.ts line 121 :

const token = Cookies.get('githubToken') || import.meta.env.VITE_GITHUB_ACCESS_TOKEN;

The githubToken cookie is not being created once the user connects his Github account in the Bolt UI, and the request to API github is not authed.

Link to the Bolt URL that caused the error

https://bolt.owndomain.com

Steps to reproduce

1. Add your GH account to Bolt using a personal token (PAT), doesn't matter which type.
2. Try to tell Bolt a few times to code some projects , it will select automatically a template or use the one that you provide , which gets downloaded from TheCodacus's repo in Github
3. githubToken cookie is not set, and the request to GH API goes unauthenticated, in some cases (for example if you share the public IP with multiple users using GH) you will get rate limit exceeded error.

Expected behavior

Expected behavior: do not get rate limited by GH , since adding a PAT in UI settings should enable authenticated request to GH API which is limited to 5000 per minute instead of 60.

Screen Recording / Screenshot

Here is the code that i modified, i don't have time to open a PR here:

diff --git a/app/components/@settings/tabs/connections/GithubConnection.tsx b/app/components/@settings/tabs/connections/GithubConnection.tsx
index e2d8924..7664717 100644
--- a/app/components/@settings/tabs/connections/GithubConnection.tsx
+++ b/app/components/@settings/tabs/connections/GithubConnection.tsx
@@ -205,7 +205,11 @@ export function GithubConnection() {
tokenType: connection.tokenType,
};
+ // Store in localStorage for persistence
localStorage.setItem('github_connection', JSON.stringify(newConnection));
+
+ // Set cookie for git-proxy authentication
+ document.cookie = GithubToken=${token}; path=/; secure; samesite=strict;
setConnection(newConnection);

await fetchGitHubStats(token);
@@ -226,7 +230,9 @@ export function GithubConnection() {
};

const handleDisconnect = () => {
+ // Remove from both localStorage and cookies
localStorage.removeItem('github_connection');
+ document.cookie = 'GithubToken=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT';
setConnection({ user: null, token: '', tokenType: 'classic' });
toast.success('Disconnected from GitHub');
};

diff --git a/app/routes/api.git-proxy.$.ts b/app/routes/api.git-proxy.$.ts
index 9e6cb3b..6c76234 100644
--- a/app/routes/api.git-proxy.$.ts
+++ b/app/routes/api.git-proxy.$.ts
@@ -21,6 +21,14 @@ async function handleProxyRequest(request: Request, path: string | undefined) {
// Reconstruct the target URL
const targetURL =https://${path}${url.search};

+ // Get GitHub token from cookie if it exists
+ const githubToken = request.headers
+ .get('cookie')
+ ?.split(';')
+ .map((cookie) => cookie.trim())
+ .find((cookie) => cookie.startsWith('GithubToken='))
+ ?.split('=')[1];
+
// Forward the request to the target URL
const response = await fetch(targetURL, {
method: request.method,
@@ -29,6 +37,13 @@ async function handleProxyRequest(request: Request, path: string | undefined) {

// Override host header with the target host
host: new URL(targetURL).host,
+
+ // Add Authorization header if GitHub token exists
+ ...(githubToken
+ ? {
+ Authorization: Bearer ${githubToken},
+ }
+ : {}),
},
body: ['GET', 'HEAD'].includes(request.method) ? null : await request.arrayBuffer(),
});

And a bonus for the fellows having issues with Vite blocking access when using a reverse proxy:

diff --git a/vite.config.ts b/vite.config.ts
index 01fb3b2..cdc898f 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -73,6 +73,9 @@ const gitInfo = getGitInfo();

export default defineConfig((config) => {
return {
+ server: {
+ allowedHosts: ['your_domain_url'], // Allow requests from your domain
+ },
define: {
__COMMIT_HASH: JSON.stringify(gitInfo.commitHash),
__GIT_BRANCH: JSON.stringify(gitInfo.branch),

Platform

• OS: [Windows]
• Browser: [Firefox]
• Bolt hosted on Linux, as docker container

Provider Used

OpenAILike - local LM Studio

Model Used

llama 3.2 instruct, qwen 2.5 coder

Additional context

No response

[leex279]

@radumalica thanks for the report and detailled description. I am pretty sure this worked at some point and broke maybe with tne new settings UI.

@Stijnus @thecodacus can you verify that?

[thecodacus]

looks like a bug. here is a fix #1411

[thecodacus]

@radumalica can you confirm this fixed your issue ?

[radumalica]

let me pull the changes and i'll test later today after work.