From: <rsbecker@nexbridge.com>
To: "'Junio C Hamano'" <gitster@pobox.com>,
"'M Hickford'" <mirth.hickford@gmail.com>
Cc: <git@vger.kernel.org>, <derrickstolee@github.com>, <stolee@gmail.com>
Subject: RE: transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits
Date: Fri, 10 Jan 2025 17:10:21 -0500 [thread overview]
Message-ID: <01a301db63ac$73fb85f0$5bf291d0$@nexbridge.com> (raw)
In-Reply-To: <xmqqh6665p8j.fsf@gitster.g>
On January 10, 2025 4:33 PM, Junio C Hamano wrote:
>M Hickford <mirth.hickford@gmail.com> writes:
>
>> It would be neat to warn similarly if the user includes a personal access token in
>the *user* field of the remote URL:
>>
>> git clone https://<pat>@github.com/...
>>
>> This is a popular practice according to StackOverflow
>> https://stackoverflow.com/a/70320541/284795 (800k views).
>>
>> GitHub personal access tokens are easily recognised by their prefixes
>> "ghp_" and "github_pat_"
>
>Curious. I do not think we have *any* code to special case such a "token", so to Git
>itself, https://<pat>@github.com/... should look as it (assuming <pat> does not
>have any colon in it) is trying to access the site with <pat> as the username.
>
>How do we _know_ that this request with <pat> do not need a password? I ask
>because I'd prefer not to see us hardcoding any hosting-site specific heuristics in the
>code, and these users apparently are doing fine without any such hardcoding. If we
>can reuse the mechanism that is letting them do so when deciding if we should
>warn, it would be great.
>
>Are users expected to configure their credential helpers know that it is a <pat>
>(perhaps with authtype=Bearer)?
This is why I implemented my own credential layer - sorry, cannot share,
but can describe if asked (maybe at a Git Merge? 😉 ). Git should not need to
know about GitHub specific access methods for HTTPS, where PAT is required
for git push. There is no password for PAT use, which makes it highly insecure
if persisted on disk - I do not know why GitHub went down that path, I guess
they did not want any potential CVEs associated with SSH-like passphrases.
PAT became a real annoyance for my community, so I had to do something quick
and adding my own credential manager seemed expedient (and works pretty
well - but if someone wants to do this, they must be very careful managing
access to the cached PAT's memory use). The primary use case in my situation
is not actually git push, but the creation of Pull Requests on GitHub from
scripts or a CLI since NonStop has no GUI adapter to access their website.
>
>Sorry for not giving any answer and piling more questions on top.
next prev parent reply other threads:[~2025-01-10 22:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 21:05 transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits M Hickford
2025-01-10 21:32 ` Junio C Hamano
2025-01-10 22:06 ` brian m. carlson
2025-01-10 22:51 ` Junio C Hamano
2025-01-11 0:08 ` brian m. carlson
2025-01-11 0:45 ` Junio C Hamano
2025-01-11 1:01 ` rsbecker
2025-01-18 20:33 ` M Hickford
2025-01-10 22:10 ` rsbecker [this message]
2025-01-10 23:36 ` Randall Becker
2025-01-10 23:44 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='01a301db63ac$73fb85f0$5bf291d0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=derrickstolee@github.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mirth.hickford@gmail.com \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).