* Git clone sends first an empty authorization header @ 2016-03-05 4:51 Guilherme 2016-03-05 5:50 ` Bryan Turner 2016-03-05 8:47 ` Andreas Schwab 0 siblings, 2 replies; 4+ messages in thread From: Guilherme @ 2016-03-05 4:51 UTC (permalink / raw) To: git@vger.kernel.org Hi, When doing basic authentication using git clone by passing the username and password in the url git clone will first send a GET request without the authorization header set. Am i seeing this right? This means that if the counterpart allows anonymous cloning but not pushing and the user provided a wrong usernam/password, it has two options: 1. Allow the access and leave the user to figure out why he is not able to push. 2. Reply by setting the WWW-Authentication header and see if a password/username is provided. This has the downside that if no username and password is provided the user will still get a login prompt for password and username. Upon entering twice nothing he will still be able to clone. This can be confusing. Can this behaviour of git clone (and I guess all the other parts that do basic auth) be changed to provide the authentication header right on the first request? Or am I doing/interpreting it wrong? Thank you. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Git clone sends first an empty authorization header 2016-03-05 4:51 Git clone sends first an empty authorization header Guilherme @ 2016-03-05 5:50 ` Bryan Turner 2016-03-05 6:16 ` Guilherme 2016-03-05 8:47 ` Andreas Schwab 1 sibling, 1 reply; 4+ messages in thread From: Bryan Turner @ 2016-03-05 5:50 UTC (permalink / raw) To: Guilherme; +Cc: git@vger.kernel.org On Fri, Mar 4, 2016 at 9:51 PM, Guilherme <guibufolo@gmail.com> wrote: > Hi, > > When doing basic authentication using git clone by passing the > username and password in the url git clone will first send a GET > request without the authorization header set. > > Am i seeing this right? I believe this is an intentional behavior in either cURL or how Git uses it. Credentials aren't sent until the server returns a challenge for them, even if you include them in your clone URL or elsewhere. So yes, you're seeing it right. > > This means that if the counterpart allows anonymous cloning but not > pushing and the user provided a wrong usernam/password, it has two > options: I'm not sure why this would be true. If the remote server allows anonymous clone/fetch, then you never get prompted for credentials and, even if they're supplied, they're never sent to the remote server. If you then try to push, if the server is working correctly it should detect that anonymous users can't push and it should return a 401 with a WWW-Authenticate header. When the client receives the 401, it should send the credentials it has (or prompt for them if it doesn't have them) and the push should work without issue. Perhaps there's an issue with how your server is setup to handle permissions? > > 1. Allow the access and leave the user to figure out why he is not able to push. > > 2. Reply by setting the WWW-Authentication header and see if a > password/username is provided. This has the downside that if no > username and password is provided the user will still get a login > prompt for password and username. Upon entering twice nothing he will > still be able to clone. This can be confusing. > > Can this behaviour of git clone (and I guess all the other parts that > do basic auth) be changed to provide the authentication header right > on the first request? Or am I doing/interpreting it wrong? > > Thank you. > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Git clone sends first an empty authorization header 2016-03-05 5:50 ` Bryan Turner @ 2016-03-05 6:16 ` Guilherme 0 siblings, 0 replies; 4+ messages in thread From: Guilherme @ 2016-03-05 6:16 UTC (permalink / raw) To: Bryan Turner; +Cc: git@vger.kernel.org Hey Bryan, Yes that will happen he will get a prompet for username/password but he already provided them in the URL and it worked before. He could clone. I think this is a little bit confusing. My problem is that the tool I'm trying to build is trying to provide the username used to log in via an environment variable. And due to the fact that the anonymous login is always the first to be tried, even if the user provides an username/password on the URL I'm not able to retrieve it. On Sat, Mar 5, 2016 at 11:20 AM, Bryan Turner <bturner@atlassian.com> wrote: > On Fri, Mar 4, 2016 at 9:51 PM, Guilherme <guibufolo@gmail.com> wrote: >> Hi, >> >> When doing basic authentication using git clone by passing the >> username and password in the url git clone will first send a GET >> request without the authorization header set. >> >> Am i seeing this right? > > I believe this is an intentional behavior in either cURL or how Git > uses it. Credentials aren't sent until the server returns a challenge > for them, even if you include them in your clone URL or elsewhere. So > yes, you're seeing it right. > >> >> This means that if the counterpart allows anonymous cloning but not >> pushing and the user provided a wrong usernam/password, it has two >> options: > > I'm not sure why this would be true. If the remote server allows > anonymous clone/fetch, then you never get prompted for credentials > and, even if they're supplied, they're never sent to the remote > server. If you then try to push, if the server is working correctly it > should detect that anonymous users can't push and it should return a > 401 with a WWW-Authenticate header. When the client receives the 401, > it should send the credentials it has (or prompt for them if it > doesn't have them) and the push should work without issue. > > Perhaps there's an issue with how your server is setup to handle permissions? > >> >> 1. Allow the access and leave the user to figure out why he is not able to push. >> >> 2. Reply by setting the WWW-Authentication header and see if a >> password/username is provided. This has the downside that if no >> username and password is provided the user will still get a login >> prompt for password and username. Upon entering twice nothing he will >> still be able to clone. This can be confusing. >> >> Can this behaviour of git clone (and I guess all the other parts that >> do basic auth) be changed to provide the authentication header right >> on the first request? Or am I doing/interpreting it wrong? >> >> Thank you. >> -- >> To unsubscribe from this list: send the line "unsubscribe git" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Git clone sends first an empty authorization header 2016-03-05 4:51 Git clone sends first an empty authorization header Guilherme 2016-03-05 5:50 ` Bryan Turner @ 2016-03-05 8:47 ` Andreas Schwab 1 sibling, 0 replies; 4+ messages in thread From: Andreas Schwab @ 2016-03-05 8:47 UTC (permalink / raw) To: Guilherme; +Cc: git@vger.kernel.org Guilherme <guibufolo@gmail.com> writes: > When doing basic authentication using git clone by passing the > username and password in the url git clone will first send a GET > request without the authorization header set. > > Am i seeing this right? Yes, that is the correct way to implement HTTP authentication. The client won't know which authentication method to use until the server tells it. Andreas. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-03-05 8:48 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-03-05 4:51 Git clone sends first an empty authorization header Guilherme 2016-03-05 5:50 ` Bryan Turner 2016-03-05 6:16 ` Guilherme 2016-03-05 8:47 ` Andreas Schwab
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).