Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retrieve auth token from git credential helper #83

Open
oyamauchi opened this issue Jun 25, 2022 · 3 comments
Open

Retrieve auth token from git credential helper #83

oyamauchi opened this issue Jun 25, 2022 · 3 comments

Comments

@oyamauchi
Copy link
Collaborator

Git has a way to store repo credentials, which includes GitHub tokens; spr should have a way to use that, instead of needing spr.githubAuthToken. This would avoid having copies of tokens all over the place in .git/config files.

In my global .gitconfig:

[credential]
helper = store

The store helper by default stores credentials in ~/.git-credentials, which looks like:

https://oyamauchi:ghp_*******@github.com

Then this code retrieves credentials for the repo at the URL you pass to CredentialHelper::new:

use git2::Config;
use git2::CredentialHelper;

fn main() {
  let config = Config::open_default().unwrap();
  let mut cred_helper = CredentialHelper::new("https://github.com/getcord/spr.git");
  cred_helper.config(&config);
  println!("{:?}", cred_helper.execute());
}

Which outputs:

Some(("oyamauchi", "ghp_*******"))
@sven-of-cord
Copy link
Contributor

Interesting. I can see the problem. .git/config files are generally readable by any user. It's not the right place to store credentials. This must be fixed.

I'm not sure if just using git credentials is a user friendly solution. One, because the user has to set something up, or credentials are not persisted. Two, because it overlaps with other use cases. A user may have stored some GitHub credentials in git-credentials already (maybe to be able to git fetch from any GitHub https address), but those credentials may not have the scopes that spr needs. Three, I can't find a way to store credentials using git2. It can retrieve them through the CredentialHelper, but I don't see how it can write them. Four, I like to be able to use different creds in different local repos (having a personal and a work GitHub account). The last one is probably a fringe use case, not relevant for most people.

I looked at the GitHub CLI tool (gh), and it maintains its own file to store credentials (~/.config/gh/hosts.yml), with restrictive file permissions. It stores them by-host, so in that sense it's very similar to Git's credential storage.

I'll have another think...

@oyamauchi
Copy link
Collaborator Author

Yeah, I don't think it necessarily has to be git-credentials, just some kind of centralized storage. (1) because of the security angle, and (2) because it's more convenient, like if you have multiple repos where you're using spr.

@maverick1872 maverick1872 mentioned this issue Oct 4, 2023
Open
@sunshowers
Copy link

sunshowers commented Jun 11, 2024
edited
Loading

Related to this, it would be great if we could configure the token to be fetched via a simple command -- my personal preference for this would be to store it in 1password and use their shell command op to fetch it. That would be a pretty agnostic way to do this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oyamauchi @sunshowers @sven-of-cord