Re: [Bug] git-http-push authentication fails using netrc-file since v2.46

["brian m. carlson" <sandals@crustytoothpaste.net>]

[-- Attachment #1: Type: text/plain, Size: 2213 bytes --]

On 2025-02-18 at 21:34:59, Peter Georg wrote:
> When pushing to a https remote git used to use the credentials specified in
> netrc-file. I have not configured any other credential stores.
> Since Git 2.46, in particular since commit
> 
> 610cbc1dfb4ad947b82d7312c54c7987177f979f
> http: allow authenticating proactively
> 
> this is not the case anymore. With http.proactiveAuth not set or set to none
> git uses the credentials provided in netrc-file at first correctly, but at
> later connections uses empty credentials and fails with:
> 
> error: Cannot access URL https://<redacted>, return code 22
> 
> fatal: git-http-push failed

This does sound like a problem.  We've long had code to use the netrc
but absolutely zero tests or documentation for it.  I must admit that
I'm not even sure how it works, so I'll need to do some testing.

> With http.proactiveAuth set to auto or basic Git asks for credentials on
> prompt. Should it use the credentials specified in netrc-file?

I hadn't intended `http.proactiveAuth` to work that way.  It's
specifically designed to call the credential helper because it may get
credentials back which are not a username and password (say, a Bearer
token), which it can't do with a netrc file.

Also, from the documentation, it specifically looks like the netrc file
is only used if no credentials are provided, and since we can't query
libcurl to tell us if we would have credentials from the netrc file, I
don't see how we could support the netrc file since we'd have to take
the risk that there are no credentials and we'd get a 401 (which is
exactly what the feature intends to avoid).

> With http.proactiveAuth not set or set to none and no credential specified
> in .netrc a git-push asks me twice for my credentials and then fails with
> the same error as with credentials specified in netrc-file.

I'll start taking a look at this tonight, but it may be later this week
before I get time to write and send a patch.

In the meantime, you can use the git-credential-netrc helper from the
contrib directory, which will probably let you get back to normal.
-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]