Git clone sends first an empty authorization header

Git clone sends first an empty authorization header

[Guilherme]

Hi,

When doing basic authentication using git clone by passing the
username and password in the url git clone will first send a GET
request without the authorization header set.

Am i seeing this right?

This means that if the counterpart allows anonymous cloning but not
pushing and the user provided a wrong usernam/password, it has two
options:

1. Allow the access and leave the user to figure out why he is not able to push.

2. Reply by setting the WWW-Authentication header and see if a
password/username is provided. This has the downside that if no
username and password is provided the user will still get a login
prompt for password and username. Upon entering twice nothing he will
still be able to clone. This can be confusing.

Can this behaviour of git clone (and I guess all the other parts that
do basic auth) be changed to provide the authentication header right
on the first request? Or am I doing/interpreting it wrong?

Thank you.

Re: Git clone sends first an empty authorization header

[Bryan Turner]

On Fri, Mar 4, 2016 at 9:51 PM, Guilherme <guibufolo@gmail.com> wrote:
> Hi,
>
> When doing basic authentication using git clone by passing the
> username and password in the url git clone will first send a GET
> request without the authorization header set.
>
> Am i seeing this right?

I believe this is an intentional behavior in either cURL or how Git
uses it. Credentials aren't sent until the server returns a challenge
for them, even if you include them in your clone URL or elsewhere. So
yes, you're seeing it right.

>
> This means that if the counterpart allows anonymous cloning but not
> pushing and the user provided a wrong usernam/password, it has two
> options:

I'm not sure why this would be true. If the remote server allows
anonymous clone/fetch, then you never get prompted for credentials
and, even if they're supplied, they're never sent to the remote
server. If you then try to push, if the server is working correctly it
should detect that anonymous users can't push and it should return a
401 with a WWW-Authenticate header. When the client receives the 401,
it should send the credentials it has (or prompt for them if it
doesn't have them) and the push should work without issue.

Perhaps there's an issue with how your server is setup to handle permissions?

>
> 1. Allow the access and leave the user to figure out why he is not able to push.
>
> 2. Reply by setting the WWW-Authentication header and see if a
> password/username is provided. This has the downside that if no
> username and password is provided the user will still get a login
> prompt for password and username. Upon entering twice nothing he will
> still be able to clone. This can be confusing.
>
> Can this behaviour of git clone (and I guess all the other parts that
> do basic auth) be changed to provide the authentication header right
> on the first request? Or am I doing/interpreting it wrong?
>
> Thank you.
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Git clone sends first an empty authorization header

[Guilherme]

Hey Bryan,

Yes that will happen he will get a prompet for username/password but
he already provided them in the URL and it worked before. He could
clone. I think this is a little bit confusing.

My problem is that the tool I'm trying to build is trying to provide
the username used to log in via an environment variable. And due to
the fact that the anonymous login is always the first to be tried,
even if the user provides an username/password on the URL I'm not able
to retrieve it.

On Sat, Mar 5, 2016 at 11:20 AM, Bryan Turner <bturner@atlassian.com> wrote:
> On Fri, Mar 4, 2016 at 9:51 PM, Guilherme <guibufolo@gmail.com> wrote:
>> Hi,
>>
>> When doing basic authentication using git clone by passing the
>> username and password in the url git clone will first send a GET
>> request without the authorization header set.
>>
>> Am i seeing this right?
>
> I believe this is an intentional behavior in either cURL or how Git
> uses it. Credentials aren't sent until the server returns a challenge
> for them, even if you include them in your clone URL or elsewhere. So
> yes, you're seeing it right.
>
>>
>> This means that if the counterpart allows anonymous cloning but not
>> pushing and the user provided a wrong usernam/password, it has two
>> options:
>
> I'm not sure why this would be true. If the remote server allows
> anonymous clone/fetch, then you never get prompted for credentials
> and, even if they're supplied, they're never sent to the remote
> server. If you then try to push, if the server is working correctly it
> should detect that anonymous users can't push and it should return a
> 401 with a WWW-Authenticate header. When the client receives the 401,
> it should send the credentials it has (or prompt for them if it
> doesn't have them) and the push should work without issue.
>
> Perhaps there's an issue with how your server is setup to handle permissions?
>
>>
>> 1. Allow the access and leave the user to figure out why he is not able to push.
>>
>> 2. Reply by setting the WWW-Authentication header and see if a
>> password/username is provided. This has the downside that if no
>> username and password is provided the user will still get a login
>> prompt for password and username. Upon entering twice nothing he will
>> still be able to clone. This can be confusing.
>>
>> Can this behaviour of git clone (and I guess all the other parts that
>> do basic auth) be changed to provide the authentication header right
>> on the first request? Or am I doing/interpreting it wrong?
>>
>> Thank you.
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Git clone sends first an empty authorization header

[Andreas Schwab]

Guilherme <guibufolo@gmail.com> writes:

> When doing basic authentication using git clone by passing the
> username and password in the url git clone will first send a GET
> request without the authorization header set.
>
> Am i seeing this right?

Yes, that is the correct way to implement HTTP authentication.  The
client won't know which authentication method to use until the server
tells it.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."