Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: discuss caching personal access tokens #1851

Closed
wants to merge 2 commits into from

Conversation

hickford
Copy link

@hickford hickford commented Jan 9, 2025

Copy link

gitgitgadget bot commented Jan 9, 2025

There are issues in commit e2298b6:
docs: discuss caching personal access tokens
Commit not signed off

@hickford
Copy link
Author

hickford commented Jan 9, 2025

/submit

Copy link

gitgitgadget bot commented Jan 9, 2025

Submitted as pull.1851.git.1736458019921.gitgitgadget@gmail.com

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1851/hickford/cache-pat-docs-v1

To fetch this version to local tag pr-1851/hickford/cache-pat-docs-v1:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1851/hickford/cache-pat-docs-v1

Copy link

gitgitgadget bot commented Jan 10, 2025

On the Git mailing list, Junio C Hamano wrote (reply to this):

"M Hickford via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: M Hickford <mirth.hickford@gmail.com>
>
> Describe problems storing personal access tokens in git-credential-cache
> and suggest alternatives.

> +PERSONAL ACCESS TOKENS
> +----------------------
> +
> +Some remotes accept personal access tokens, which are randomly
> +generated and hard to memorise. They typically have a lifetime of weeks
> +or months.
> +
> +git-credential-cache is inherently unsuitable for persistent storage of
> +personal access tokens. The credential will be forgotten after the cache
> +timeout. Even if you configure a long timeout, credentials will be
> +forgotten if the daemon dies.

Very true.

> +To avoid frequently regenerating personal access tokens, configure a
> +credential helper with persistent storage.

Like libsecret and osxkeychain, you mean?  I am wondering if we want
to be a bit more helpful by being explicit.  I think there is a
section in a maual page that has a list of known and often-used
credential backends, so referring the readers to that section may be
helpful.

> Alternatively, configure an
> +OAuth credential helper to generate credentials automatically. See
> +linkgit:gitcredentials[7].

Indeed.

Copy link

gitgitgadget bot commented Jan 10, 2025

On the Git mailing list, wrote (reply to this):

On January 10, 2025 1:17 PM, Junio C Hamano wrote:
>Subject: Re: [PATCH] docs: discuss caching personal access tokens
>
>"M Hickford via GitGitGadget" <gitgitgadget@gmail.com> writes:
>
>> From: M Hickford <mirth.hickford@gmail.com>
>>
>> Describe problems storing personal access tokens in
>> git-credential-cache and suggest alternatives.
>
>> +PERSONAL ACCESS TOKENS
>> +----------------------
>> +
>> +Some remotes accept personal access tokens, which are randomly
>> +generated and hard to memorise. They typically have a lifetime of
>> +weeks or months.
>> +
>> +git-credential-cache is inherently unsuitable for persistent storage
>> +of personal access tokens. The credential will be forgotten after the
>> +cache timeout. Even if you configure a long timeout, credentials will
>> +be forgotten if the daemon dies.
>
>Very true.
>
>> +To avoid frequently regenerating personal access tokens, configure a
>> +credential helper with persistent storage.
>
>Like libsecret and osxkeychain, you mean?  I am wondering if we want to be
a bit
>more helpful by being explicit.  I think there is a section in a maual page
that has a
>list of known and often-used credential backends, so referring the readers
to that
>section may be helpful.
>
>> Alternatively, configure an
>> +OAuth credential helper to generate credentials automatically. See
>> +linkgit:gitcredentials[7].
>
>Indeed.

My solution for this is to write a custom credential manager that is PAT
aware. The one I built
does not support OAuth or OAuth2. This is non-trivial when dealing with a
CLI. Integrating
with something like MS Authenticator might be a reasonable option for some.

Copy link

gitgitgadget bot commented Jan 10, 2025

User <rsbecker@nexbridge.com> has been added to the cc: list.

Copy link

gitgitgadget bot commented Jan 10, 2025

There are issues in commit 286bbfc:
docs: list popular credential helpers
Commit not signed off

Copy link

gitgitgadget bot commented Jan 10, 2025

On the Git mailing list, M Hickford wrote (reply to this):

On Fri, 10 Jan 2025 at 18:16, Junio C Hamano <gitster@pobox.com> wrote:
>
> "M Hickford via GitGitGadget" <gitgitgadget@gmail.com> writes:
>
> > From: M Hickford <mirth.hickford@gmail.com>
> >
> > Describe problems storing personal access tokens in git-credential-cache
> > and suggest alternatives.
>
> > +PERSONAL ACCESS TOKENS
> > +----------------------
> > +
> > +Some remotes accept personal access tokens, which are randomly
> > +generated and hard to memorise. They typically have a lifetime of weeks
> > +or months.
> > +
> > +git-credential-cache is inherently unsuitable for persistent storage of
> > +personal access tokens. The credential will be forgotten after the cache
> > +timeout. Even if you configure a long timeout, credentials will be
> > +forgotten if the daemon dies.
>
> Very true.
>
> > +To avoid frequently regenerating personal access tokens, configure a
> > +credential helper with persistent storage.
>
> Like libsecret and osxkeychain, you mean?  I am wondering if we want
> to be a bit more helpful by being explicit.  I think there is a
> section in a maual page that has a list of known and often-used
> credential backends, so referring the readers to that section may be
> helpful.

I agree, explicit is more helpful. I shall expand that
gitcredentials.txt section in patch v2.

>
> > Alternatively, configure an
> > +OAuth credential helper to generate credentials automatically. See
> > +linkgit:gitcredentials[7].
>
> Indeed.

git-credential-store saves credentials unencrypted on disk. It is the
least secure choice of credential helper. Nevertheless, it appears
several times more popular than any other credential helper [1].

Inform users about more secure alternatives.

[1] https://stackoverflow.com/questions/35942754/how-can-i-save-username-and-password-in-git

Signed-off-by: M Hickford <mirth.hickford@gmail.com>
Describe problems storing personal access tokens in git-credential-cache
and suggest alternatives.

Research suggests that many users are confused about this:

> the point of passwords is that (ideally) you memorise them [so]
> they're never stored anywhere in plain text. Yet GitHub's personal
> access token system seems to basically force you to store the token in
> plain text?

https://stackoverflow.com/questions/46645843/where-to-store-my-git-personal-access-token#comment89963004_46645843
Signed-off-by: M Hickford <mirth.hickford@gmail.com>
@hickford
Copy link
Author

/submit

Copy link

gitgitgadget bot commented Jan 10, 2025

Submitted as pull.1851.v2.git.1736549677.gitgitgadget@gmail.com

To fetch this version into FETCH_HEAD:

git fetch https://github.com/gitgitgadget/git/ pr-1851/hickford/cache-pat-docs-v2

To fetch this version to local tag pr-1851/hickford/cache-pat-docs-v2:

git fetch --no-tags https://github.com/gitgitgadget/git/ tag pr-1851/hickford/cache-pat-docs-v2

Copy link

gitgitgadget bot commented Jan 11, 2025

This patch series was integrated into seen via git@89052f4.

@gitgitgadget gitgitgadget bot added the seen label Jan 11, 2025
Copy link

gitgitgadget bot commented Jan 13, 2025

This branch is now known as mh/doc-credential-helpers-with-pat.

Copy link

gitgitgadget bot commented Jan 13, 2025

This patch series was integrated into seen via git@1a6fedb.

Copy link

gitgitgadget bot commented Jan 14, 2025

This patch series was integrated into seen via git@88323b2.

Copy link

gitgitgadget bot commented Jan 14, 2025

There was a status update in the "New Topics" section about the branch mh/doc-credential-helpers-with-pat on the Git mailing list:

Document that it is insecure to use Personal Access Tokens, which
some hosting providers take as username/password, embedded in URLs.

Will merge to 'next'.
source: <pull.1851.v2.git.1736549677.gitgitgadget@gmail.com>

Copy link

gitgitgadget bot commented Jan 14, 2025

This patch series was integrated into seen via git@c5ac9dd.

Copy link

gitgitgadget bot commented Jan 16, 2025

This patch series was integrated into seen via git@dff7335.

Copy link

gitgitgadget bot commented Jan 16, 2025

This patch series was integrated into seen via git@e2ffb8a.

Copy link

gitgitgadget bot commented Jan 17, 2025

This patch series was integrated into seen via git@3883242.

Copy link

gitgitgadget bot commented Jan 18, 2025

This patch series was integrated into seen via git@8561b40.

Copy link

gitgitgadget bot commented Jan 18, 2025

This patch series was integrated into next via git@a70beab.

@gitgitgadget gitgitgadget bot added the next label Jan 18, 2025
Copy link

gitgitgadget bot commented Jan 18, 2025

There was a status update in the "Cooking" section about the branch mh/doc-credential-helpers-with-pat on the Git mailing list:

Document that it is insecure to use Personal Access Tokens, which
some hosting providers take as username/password, embedded in URLs.

Will merge to 'master'.
source: <pull.1851.v2.git.1736549677.gitgitgadget@gmail.com>

Copy link

gitgitgadget bot commented Jan 21, 2025

This patch series was integrated into seen via git@666fda1.

Copy link

gitgitgadget bot commented Jan 22, 2025

This patch series was integrated into seen via git@dabc297.

Copy link

gitgitgadget bot commented Jan 22, 2025

This patch series was integrated into seen via git@a958573.

Copy link

gitgitgadget bot commented Jan 22, 2025

There was a status update in the "Cooking" section about the branch mh/doc-credential-helpers-with-pat on the Git mailing list:

Document that it is insecure to use Personal Access Tokens, which
some hosting providers take as username/password, embedded in URLs.

Will merge to 'master'.
source: <pull.1851.v2.git.1736549677.gitgitgadget@gmail.com>

Copy link

gitgitgadget bot commented Jan 23, 2025

This patch series was integrated into seen via git@ee6b633.

Copy link

gitgitgadget bot commented Jan 24, 2025

This patch series was integrated into seen via git@6ecb4fc.

Copy link

gitgitgadget bot commented Jan 24, 2025

This patch series was integrated into master via git@6ecb4fc.

Copy link

gitgitgadget bot commented Jan 24, 2025

This patch series was integrated into next via git@6ecb4fc.

@gitgitgadget gitgitgadget bot added the master label Jan 24, 2025
@gitgitgadget gitgitgadget bot closed this Jan 24, 2025
Copy link

gitgitgadget bot commented Jan 24, 2025

Closed via 6ecb4fc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant