allow for basic auth override for non-host matching jit request

[brettfo]

When the proxy refreshes a JIT token used to talk to github.com it communicates with a jit_access endpoint using the existing $JOB_TOKEN variable. As a member of the Microsoft Azure DevOps dependabot team we run the dependabot updater in Azure DevOps repos and our JIT access refresh endpoint uses a different authentication mechanism than just the original $JOB_TOKEN.

This PR allows for an optional username and password to be attached to the jit_access credential and if present basic HTTP auth will be set.

The implementation will still use the original $JOB_TOKEN variable unless the new parameters are explicitly given.

The functional change is in internal/apiclient/client.go. The call to client.newRequest(...) on line 117 sets the $JOB_TOKEN variable as the authentication mechanism but then on line 122 if and only if both username and password were given is the auth overridden. All other changes are plumbing to allow the extra information to be passed through.

The added test is a bit large, but very explicit in what URLs are requested and with what auth and even with what the status code was.

[Copilot]

Pull request overview

This PR extends the JIT (Just-In-Time) access token refresh mechanism in the dependabot proxy to support an optional basic auth override. When a jit_access credential includes explicit username and password fields, those are used for HTTP Basic Auth when communicating with the JIT access endpoint, instead of the default $JOB_TOKEN. This enables Azure DevOps environments where the JIT access refresh endpoint requires a different authentication mechanism.

Changes:

• Added jitAccessConfig struct to carry endpoint, username, and password together, replacing the previous map[string]string that only stored the endpoint URL
• Extended RequestJITAccess method and ScopeRequester interface to accept optional username and password parameters, applying Basic Auth when both are provided
• Added an integration test using httpmock to verify the full request flow: expired token → JIT refresh with explicit auth → retry with refreshed token

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
internal/handlers/git_server.go	Introduces jitAccessConfig struct, updates ScopeRequester interface and plumbing to pass username/password through to RequestJITAccess
internal/apiclient/client.go	Adds username/password params to RequestJITAccess; sets Basic Auth when both are provided
internal/apiclient/client_test.go	Updates existing test call sites to pass empty strings for the new parameters
internal/handlers/git_server_test.go	Updates TestScopeRequester mock; adds end-to-end integration test for explicit auth flow

[brettfo]

Failing smoke tests appear to be updated dependencies. Will re-cache runs shortly and retry.