Failing to push to a repository erases authentication helper credentials

Failing to push to a repository erases authentication helper credentials

[Michal Suchánek]

Hello,

I was trying out AGit https://docs.gitea.com/usage/agit with oauth
helper https://github.com/hickford/git-credential-oauth encountering
this bug https://github.com/go-gitea/gitea/issues/34583

When doing so the oauth helper asked for new authentication, then for
some reason I was asked for authentication by some other helper.

After that pushing to repository to which I have permissions asked for
authentication again.

This hints that any failed git operation erases helper credentials.

That does not sound like a desirable behavior.

Could the previous credentials be preserved?

Thanks

Michal

Re: Failing to push to a repository erases authentication helper credentials

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1203 bytes --]

On 2025-06-30 at 13:45:30, Michal Suchánek wrote:
> I was trying out AGit https://docs.gitea.com/usage/agit with oauth
> helper https://github.com/hickford/git-credential-oauth encountering
> this bug https://github.com/go-gitea/gitea/issues/34583
> 
> When doing so the oauth helper asked for new authentication, then for
> some reason I was asked for authentication by some other helper.
> 
> After that pushing to repository to which I have permissions asked for
> authentication again.
> 
> This hints that any failed git operation erases helper credentials.

This is true and it's by design.

> That does not sound like a desirable behavior.

It is in fact desirable because otherwise the user continues to attempt
to use the bad credentials and then can never again authenticate
successfully, since they are never again prompted for credentials.

> Could the previous credentials be preserved?

Git doesn't have a behaviour to do so, but you could of course craft a
custom credential helper that just rejects the erase command and passes
everything else through to another helper.  That would achieve your
goal.
-- 
brian m. carlson (they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: Failing to push to a repository erases authentication helper credentials

[Michal Suchánek]

On Mon, Jun 30, 2025 at 02:31:15PM +0000, brian m. carlson wrote:
> On 2025-06-30 at 13:45:30, Michal Suchánek wrote:
> > I was trying out AGit https://docs.gitea.com/usage/agit with oauth
> > helper https://github.com/hickford/git-credential-oauth encountering
> > this bug https://github.com/go-gitea/gitea/issues/34583
> > 
> > When doing so the oauth helper asked for new authentication, then for
> > some reason I was asked for authentication by some other helper.
> > 
> > After that pushing to repository to which I have permissions asked for
> > authentication again.
> > 
> > This hints that any failed git operation erases helper credentials.
> 
> This is true and it's by design.
> 
> > That does not sound like a desirable behavior.
> 
> It is in fact desirable because otherwise the user continues to attempt
> to use the bad credentials and then can never again authenticate
> successfully, since they are never again prompted for credentials.

My proglem is that the credentials are actually valid, only the
operation is not. The current behavior erases valid credentials.

> > Could the previous credentials be preserved?
> 
> Git doesn't have a behaviour to do so, but you could of course craft a
> custom credential helper that just rejects the erase command and passes
> everything else through to another helper.  That would achieve your

I do not want to use another helper. I want to preserve the last valid
credentials.

Of course, using credentials that are not maintained by git at all (such
as ssh authentication) does not have this problem. Only git-managed
credentials get erased on invalid operation.

Thanks

Michal

Re: Failing to push to a repository erases authentication helper credentials

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 2707 bytes --]

On 2025-06-30 at 15:09:06, Michal Suchánek wrote:
> On Mon, Jun 30, 2025 at 02:31:15PM +0000, brian m. carlson wrote:
> > It is in fact desirable because otherwise the user continues to attempt
> > to use the bad credentials and then can never again authenticate
> > successfully, since they are never again prompted for credentials.
> 
> My proglem is that the credentials are actually valid, only the
> operation is not. The current behavior erases valid credentials.

Then the server needs to return a 403 or 404 and not a 401.  A 401
prompts Git to expire credentials and a 403 or 404 does not.  Only the
server knows whether the credentials are actually valid for some access
or not at all.

RFC 9110 § 15.5.2 says this:

    The 401 (Unauthorized) status code indicates that the request has
    not been applied because it lacks valid authentication credentials
    for the target resource.

and § 15.5.4 says this:

    The 403 (Forbidden) status code indicates that the server understood
    the request but refuses to fulfill it.
    […]
    If authentication credentials were provided in the request, the
    server considers them insufficient to grant access. The client
    SHOULD NOT automatically repeat the request with the same
    credentials. The client MAY repeat the request with new or different
    credentials.
    […]
    An origin server that wishes to "hide" the current existence of a
    forbidden target resource MAY instead respond with a status code of
    404 (Not Found).

So the server is incorrect in returning a 401 in this case if the
credentials are actually valid for a different operation on the same
resource.

> > Git doesn't have a behaviour to do so, but you could of course craft a
> > custom credential helper that just rejects the erase command and passes
> > everything else through to another helper.  That would achieve your
> 
> I do not want to use another helper. I want to preserve the last valid
> credentials.
> 
> Of course, using credentials that are not maintained by git at all (such
> as ssh authentication) does not have this problem. Only git-managed
> credentials get erased on invalid operation.

In general, Git does not presently offer this functionality.  We could
in theory accept a patch for a config option that makes this work, but I
expect it will lead to hard-to-troubleshoot problems for the exact
reason I mentioned.  It will also require an update to the Git FAQ to
disable that option in the example, since we use the exact same
mechanism to delete credentials for users who _do_ want to expire
credentials.
-- 
brian m. carlson (they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: Failing to push to a repository erases authentication helper credentials

[Michal Suchánek]

On Mon, Jun 30, 2025 at 06:29:46PM +0000, brian m. carlson wrote:
> On 2025-06-30 at 15:09:06, Michal Suchánek wrote:
> > On Mon, Jun 30, 2025 at 02:31:15PM +0000, brian m. carlson wrote:
> > > It is in fact desirable because otherwise the user continues to attempt
> > > to use the bad credentials and then can never again authenticate
> > > successfully, since they are never again prompted for credentials.
> > 
> > My proglem is that the credentials are actually valid, only the
> > operation is not. The current behavior erases valid credentials.
> 
> Then the server needs to return a 403 or 404 and not a 401.  A 401
> prompts Git to expire credentials and a 403 or 404 does not.  Only the
> server knows whether the credentials are actually valid for some access
> or not at all.
> 
> RFC 9110 § 15.5.2 says this:
> 
>     The 401 (Unauthorized) status code indicates that the request has
>     not been applied because it lacks valid authentication credentials
>     for the target resource.
> 
> and § 15.5.4 says this:
> 
>     The 403 (Forbidden) status code indicates that the server understood
>     the request but refuses to fulfill it.
>     […]
>     If authentication credentials were provided in the request, the
>     server considers them insufficient to grant access. The client
>     SHOULD NOT automatically repeat the request with the same
>     credentials. The client MAY repeat the request with new or different
>     credentials.
>     […]
>     An origin server that wishes to "hide" the current existence of a
>     forbidden target resource MAY instead respond with a status code of
>     404 (Not Found).
> 
> So the server is incorrect in returning a 401 in this case if the
> credentials are actually valid for a different operation on the same
> resource.

Is there any way to see what the server is returning?

As the repository uses SSL capturing the communication with a proxy
would be challenging.

Thanks

Michal

Re: Failing to push to a repository erases authentication helper credentials

[Michal Suchánek]

On Tue, Jul 01, 2025 at 08:54:42AM +0200, Michal Suchánek wrote:
> On Mon, Jun 30, 2025 at 06:29:46PM +0000, brian m. carlson wrote:
> > On 2025-06-30 at 15:09:06, Michal Suchánek wrote:
> > > On Mon, Jun 30, 2025 at 02:31:15PM +0000, brian m. carlson wrote:
> > > > It is in fact desirable because otherwise the user continues to attempt
> > > > to use the bad credentials and then can never again authenticate
> > > > successfully, since they are never again prompted for credentials.
> > > 
> > > My proglem is that the credentials are actually valid, only the
> > > operation is not. The current behavior erases valid credentials.
> > 
> > Then the server needs to return a 403 or 404 and not a 401.  A 401
> > prompts Git to expire credentials and a 403 or 404 does not.  Only the
> > server knows whether the credentials are actually valid for some access
> > or not at all.
> > 
> > RFC 9110 § 15.5.2 says this:
> > 
> >     The 401 (Unauthorized) status code indicates that the request has
> >     not been applied because it lacks valid authentication credentials
> >     for the target resource.
> > 
> > and § 15.5.4 says this:
> > 
> >     The 403 (Forbidden) status code indicates that the server understood
> >     the request but refuses to fulfill it.
> >     […]
> >     If authentication credentials were provided in the request, the
> >     server considers them insufficient to grant access. The client
> >     SHOULD NOT automatically repeat the request with the same
> >     credentials. The client MAY repeat the request with new or different
> >     credentials.
> >     […]
> >     An origin server that wishes to "hide" the current existence of a
> >     forbidden target resource MAY instead respond with a status code of
> >     404 (Not Found).
> > 
> > So the server is incorrect in returning a 401 in this case if the
> > credentials are actually valid for a different operation on the same
> > resource.
> 
> Is there any way to see what the server is returning?
> 
> As the repository uses SSL capturing the communication with a proxy
> would be challenging.

mitmweb works for the purpose but it's hard to interprete the data.

401 is often returned even in the cases when everything works correctly,
probably because git first tries to access without authentication.

403 is not ever returned, the error only happens on the git protocol
level, apparently.

Thanks

Michal

Re: Failing to push to a repository erases authentication helper credentials

[Junio C Hamano]

Michal Suchánek <msuchanek@suse.de> writes:

> Is there any way to see what the server is returning?

If this is going over http(s)://, then

    export GIT_TRACE_CURL=true

(or the absolute path name of the file you want to store the trace
data in, in place for true that tells it to dump to the standard
error stream), perhaps?

Re: Failing to push to a repository erases authentication helper credentials

[Michal Suchánek]

On Tue, Jul 01, 2025 at 08:38:09AM -0700, Junio C Hamano wrote:
> Michal Suchánek <msuchanek@suse.de> writes:
> 
> > Is there any way to see what the server is returning?
> 
> If this is going over http(s)://, then
> 
>     export GIT_TRACE_CURL=true
> 

With that I can see that the forge instance in question reports
indiscriminately 401 while their demo site running the current
development code correctly returns 403.

Probably a case for upgrading to a more recent version.

Thanks

Michal