Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.45.2 2023-07-18T14:28:52Z 2023-07-18T14:28:52Z Junio C Hamano gitster@pobox.com 2023-07-18T14:28:52Z urn:sha1:d6e67222c103783616912c26c9906b8167c39ab8 Doc update. * mh/doc-credential-helpers: doc: gitcredentials: link to helper list 2023-07-10T17:35:55Z M Hickford mirth.hickford@gmail.com 2023-07-08T20:36:54Z urn:sha1:4c9cb51fe7beafc1033ec33e7f9d431c04d8b278 Link to community list of credential helpers. This is useful information for users. Describe how OAuth credential helpers work. OAuth is a user-friendly alternative to personal access tokens and SSH keys. Reduced setup cost makes it easier for users to contribute to projects across multiple forges. Signed-off-by: M Hickford <mirth.hickford@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-06-15T20:26:41Z M Hickford mirth.hickford@gmail.com 2023-06-15T19:19:33Z urn:sha1:6c26da8404c8acfed62fa4775b7b591f099bcd33 `credential reject` sends the erase action to each helper, but the exact behaviour of erase isn't specified in documentation or tests. Some helpers (such as credential-store and credential-libsecret) delete all matching credentials, others (such as credential-cache) delete at most one matching credential. Test that helpers erase all matching credentials. This behaviour is easiest to reason about. Users expect that `echo "url=https://example.com" | git credential reject` or `echo "url=https://example.com\nusername=tim" | git credential reject` erase all matching credentials. Fix credential-cache. Signed-off-by: M Hickford <mirth.hickford@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-22T23:18:58Z M Hickford mirth.hickford@gmail.com 2023-02-18T06:32:57Z urn:sha1:d208bfdfef97a1e8fb746763b5057e0ad91e283b Some passwords have an expiry date known at generation. This may be years away for a personal access token or hours for an OAuth access token. When multiple credential helpers are configured, `credential fill` tries each helper in turn until it has a username and password, returning early. If Git authentication succeeds, `credential approve` stores the successful credential in all helpers. If authentication fails, `credential reject` erases matching credentials in all helpers. Helpers implement corresponding operations: get, store, erase. The credential protocol has no expiry attribute, so helpers cannot store expiry information. Even if a helper returned an improvised expiry attribute, git credential discards unrecognised attributes between operations and between helpers. This is a particular issue when a storage helper and a credential-generating helper are configured together: [credential] helper = storage # eg. cache or osxkeychain helper = generate # eg. oauth `credential approve` stores the generated credential in both helpers without expiry information. Later `credential fill` may return an expired credential from storage. There is no workaround, no matter how clever the second helper. The user sees authentication fail (a retry will succeed). Introduce a password expiry attribute. In `credential fill`, ignore expired passwords and continue to query subsequent helpers. In the example above, `credential fill` ignores the expired password and a fresh credential is generated. If authentication succeeds, `credential approve` replaces the expired password in storage. If authentication fails, the expired credential is erased by `credential reject`. It is unnecessary but harmless for storage helpers to self prune expired credentials. Add support for the new attribute to credential-cache. Eventually, I hope to see support in other popular storage helpers. Example usage in a credential-generating helper https://github.com/hickford/git-credential-oauth/pull/16 Signed-off-by: M Hickford <mirth.hickford@gmail.com> Reviewed-by: Calvin Wan <calvinwan@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-11-23T02:22:25Z Junio C Hamano gitster@pobox.com 2022-11-23T02:22:25Z urn:sha1:c197977cb6b250906dbe1a05f899c65bb1ac2a9f Doc update. * mh/gitcredentials-generate: Docs: describe how a credential-generating helper works 2022-11-18T23:43:59Z Taylor Blau me@ttaylorr.com 2022-11-18T23:43:59Z urn:sha1:35a62bb5798092d491e6c7e688db6cb1418c9098 Docfix. * mh/credential-unrecognized-attrs: docs: clarify that credential discards unrecognised attributes 2022-11-14T23:18:59Z M Hickford mirth.hickford@gmail.com 2022-11-12T01:44:30Z urn:sha1:dabb9d875f665ec5da9ae8c84fed765cf9187463 Previously the docs only described storage helpers. A concrete example: Git Credential Manager can generate credentials for GitHub and GitLab via OAuth. https://github.com/GitCredentialManager/git-credential-manager Signed-off-by: M Hickford <mirth.hickford@gmail.com> Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-11-13T04:57:34Z M Hickford mirth.hickford@gmail.com 2022-10-24T07:57:48Z urn:sha1:7fd54b6238e5802147a5ca259c3b5e6b8e06471d It was previously unclear how unrecognised attributes are handled. Signed-off-by: M Hickford <mirth.hickford@gmail.com> Signed-off-by: Taylor Blau <me@ttaylorr.com> 2022-11-08T21:46:54Z M Hickford mirth.hickford@gmail.com 2022-11-08T13:01:27Z urn:sha1:54e95b466334e8f6ba4421991cfc189e1291ea87 Git asks for a "password", but the user might use a personal access token or OAuth access token instead. Example: Password for 'https://AzureDiamond@github.com': Signed-off-by: M Hickford <mirth.hickford@gmail.com> Signed-off-by: Taylor Blau <me@ttaylorr.com> 2021-11-09T17:39:11Z Jean-Noël Avila jn.avila@free.fr 2021-11-06T18:48:55Z urn:sha1:7706294ec94ab9f9b864a8451ac089f15d18a254 URL being an acronym, it deserves to be kept uppercase. Signed-off-by: Jean-Noël Avila <jn.avila@free.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com>