From: <rsbecker@nexbridge.com>
To: "'Junio C Hamano'" <gitster@pobox.com>,
"'brian m. carlson'" <sandals@crustytoothpaste.net>
Cc: "'M Hickford'" <mirth.hickford@gmail.com>, <git@vger.kernel.org>,
<derrickstolee@github.com>, <stolee@gmail.com>
Subject: RE: transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits
Date: Fri, 10 Jan 2025 20:01:06 -0500 [thread overview]
Message-ID: <01e501db63c4$4ef1a240$ecd4e6c0$@nexbridge.com> (raw)
In-Reply-To: <xmqqv7umb2lf.fsf@gitster.g>
On January 10, 2025 7:45 PM, Junio C Hamano wrote:
>"brian m. carlson" <sandals@crustytoothpaste.net> writes:
>
>>> When the former is true and the latter is false, it is an indication
>>> that for that site with the username-or-token, there wasn't anything
>>> necessary to authenticate and the access was authorized. Which is
>>> what the original poster wants us to warn against.
>>
>> No, I don't think that will work in the general case. Here's why. If
>> I do `git push
>> https://bmc@git.crustytoothpaste.net/git/bmc/xyzzy.git`,
>> that uses Kerberos (Negotiate). There's a username there to make
>> libcurl enable auth, but it's never used and a credential helper is
>> never invoked, so case 1 is true and case 2 is false.
>>
>> Now, we _could_ do that only for Basic auth, which would catch the
>> GitHub case. However, it's _also_ possible to use TLS client
>> certificate auth (and I think Bitbucket does support that) and use the
>> username only for choosing the account (because, say, your work
>> account uses a client certificate and your personal account uses
>> something else). There might be Basic auth sent (say, if you'd set
>> `http.proactiveAuth`), but the server would ignore it since you were
>> already authenticated via the TLS cert. That would also make case 1
>> be true and case 2 be false.
If the use case is like mine, where someone wants to use something similar
to a PAT for creating a Pull Request, then GitHub, BitBucket, GitLab, and
AzureGit all behave in a very similar way. The PAT structure is different,
but
there is conceptual equivalence.
--Randall
>>
>> Perhaps that latter case is not worth worrying about, but it is a
>> possibility and I'm sure some people will hit it. Maybe with a config
>> option for the advice that's okay, though.
>
>Thanks, so in short, if we really want to do this "warning", it has to look
at the
>"username" string and "guess" that it is something the user does not want
to have
>as a value to remote.*.url field X-<.
>
>So "should warn" in the title is not really #leftoverbits (i.e. we clearly
know it is a
>good idea, we just didn't have bandwidth to do it, anybody is welcome to
fill the
>void) at this point.
>
>Thanks.
next prev parent reply other threads:[~2025-01-11 1:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 21:05 transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits M Hickford
2025-01-10 21:32 ` Junio C Hamano
2025-01-10 22:06 ` brian m. carlson
2025-01-10 22:51 ` Junio C Hamano
2025-01-11 0:08 ` brian m. carlson
2025-01-11 0:45 ` Junio C Hamano
2025-01-11 1:01 ` rsbecker [this message]
2025-01-18 20:33 ` M Hickford
2025-01-10 22:10 ` rsbecker
2025-01-10 23:36 ` Randall Becker
2025-01-10 23:44 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='01e501db63c4$4ef1a240$ecd4e6c0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=derrickstolee@github.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mirth.hickford@gmail.com \
--cc=sandals@crustytoothpaste.net \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).