From: Junio C Hamano <gitster@pobox.com>
To: M Hickford <mirth.hickford@gmail.com>
Cc: git@vger.kernel.org, derrickstolee@github.com, stolee@gmail.com
Subject: Re: transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits
Date: Fri, 10 Jan 2025 13:32:44 -0800 [thread overview]
Message-ID: <xmqqh6665p8j.fsf@gitster.g> (raw)
In-Reply-To: <20250110210500.675629-1-mirth.hickford@gmail.com> (M. Hickford's message of "Fri, 10 Jan 2025 21:05:00 +0000")
M Hickford <mirth.hickford@gmail.com> writes:
> It would be neat to warn similarly if the user includes a personal access token in the *user* field of the remote URL:
>
> git clone https://<pat>@github.com/...
>
> This is a popular practice according to StackOverflow
> https://stackoverflow.com/a/70320541/284795 (800k views).
>
> GitHub personal access tokens are easily recognised by their
> prefixes "ghp_" and "github_pat_"
Curious. I do not think we have *any* code to special case such a
"token", so to Git itself, https://<pat>@github.com/... should look
as it (assuming <pat> does not have any colon in it) is trying to
access the site with <pat> as the username.
How do we _know_ that this request with <pat> do not need a
password? I ask because I'd prefer not to see us hardcoding any
hosting-site specific heuristics in the code, and these users
apparently are doing fine without any such hardcoding. If we can
reuse the mechanism that is letting them do so when deciding if we
should warn, it would be great.
Are users expected to configure their credential helpers know that
it is a <pat> (perhaps with authtype=Bearer)?
Sorry for not giving any answer and piling more questions on top.
next prev parent reply other threads:[~2025-01-10 21:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 21:05 transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits M Hickford
2025-01-10 21:32 ` Junio C Hamano [this message]
2025-01-10 22:06 ` brian m. carlson
2025-01-10 22:51 ` Junio C Hamano
2025-01-11 0:08 ` brian m. carlson
2025-01-11 0:45 ` Junio C Hamano
2025-01-11 1:01 ` rsbecker
2025-01-18 20:33 ` M Hickford
2025-01-10 22:10 ` rsbecker
2025-01-10 23:36 ` Randall Becker
2025-01-10 23:44 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqh6665p8j.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=derrickstolee@github.com \
--cc=git@vger.kernel.org \
--cc=mirth.hickford@gmail.com \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).