RE: transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits

All of lore.kernel.org
 help / color / mirror / Atom feed

From: <rsbecker@nexbridge.com>
To: "'Junio C Hamano'" <gitster@pobox.com>,
	"'brian m. carlson'" <sandals@crustytoothpaste.net>
Cc: "'M Hickford'" <mirth.hickford@gmail.com>, <git@vger.kernel.org>,
	<derrickstolee@github.com>, <stolee@gmail.com>
Subject: RE: transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits
Date: Fri, 10 Jan 2025 20:01:06 -0500	[thread overview]
Message-ID: <01e501db63c4$4ef1a240$ecd4e6c0$@nexbridge.com> (raw)
In-Reply-To: <xmqqv7umb2lf.fsf@gitster.g>

On January 10, 2025 7:45 PM, Junio C Hamano wrote:
>"brian m. carlson" <sandals@crustytoothpaste.net> writes:
>
>>> When the former is true and the latter is false, it is an indication
>>> that for that site with the username-or-token, there wasn't anything
>>> necessary to authenticate and the access was authorized.  Which is
>>> what the original poster wants us to warn against.
>>
>> No, I don't think that will work in the general case.  Here's why.  If
>> I do `git push
>> https://bmc@git.crustytoothpaste.net/git/bmc/xyzzy.git`,
>> that uses Kerberos (Negotiate).  There's a username there to make
>> libcurl enable auth, but it's never used and a credential helper is
>> never invoked, so case 1 is true and case 2 is false.
>>
>> Now, we _could_ do that only for Basic auth, which would catch the
>> GitHub case.  However, it's _also_ possible to use TLS client
>> certificate auth (and I think Bitbucket does support that) and use the
>> username only for choosing the account (because, say, your work
>> account uses a client certificate and your personal account uses
>> something else).  There might be Basic auth sent (say, if you'd set
>> `http.proactiveAuth`), but the server would ignore it since you were
>> already authenticated via the TLS cert.  That would also make case 1
>> be true and case 2 be false.

If the use case is like mine, where someone wants to use something similar
to a PAT for creating a Pull Request, then GitHub, BitBucket, GitLab, and
AzureGit all behave in a very similar way. The PAT structure is different,
but
there is conceptual equivalence.

--Randall

>>
>> Perhaps that latter case is not worth worrying about, but it is a
>> possibility and I'm sure some people will hit it.  Maybe with a config
>> option for the advice that's okay, though.
>
>Thanks, so in short, if we really want to do this "warning", it has to look
at the
>"username" string and "guess" that it is something the user does not want
to have
>as a value to remote.*.url field X-<.
>
>So "should warn" in the title is not really #leftoverbits (i.e. we clearly
know it is a
>good idea, we just didn't have bandwidth to do it, anybody is welcome to
fill the
>void) at this point.
>
>Thanks.

next prev parent reply	other threads:[~2025-01-11  1:01 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-10 21:05 transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits M Hickford
2025-01-10 21:32 ` Junio C Hamano
2025-01-10 22:06   ` brian m. carlson
2025-01-10 22:51     ` Junio C Hamano
2025-01-11  0:08       ` brian m. carlson
2025-01-11  0:45         ` Junio C Hamano
2025-01-11  1:01           ` rsbecker [this message]
2025-01-18 20:33     ` M Hickford
2025-01-10 22:10   ` rsbecker
2025-01-10 23:36   ` Randall Becker
2025-01-10 23:44     ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='01e501db63c4$4ef1a240$ecd4e6c0$@nexbridge.com' \
    --to=rsbecker@nexbridge.com \
    --cc=derrickstolee@github.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=mirth.hickford@gmail.com \
    --cc=sandals@crustytoothpaste.net \
    --cc=stolee@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.