-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: discuss caching personal access tokens #1851
Conversation
There are issues in commit e2298b6: |
e2298b6
to
1980f6a
Compare
/submit |
Submitted as [email protected] To fetch this version into
To fetch this version to local tag
|
On the Git mailing list, Junio C Hamano wrote (reply to this): "M Hickford via GitGitGadget" <[email protected]> writes:
> From: M Hickford <[email protected]>
>
> Describe problems storing personal access tokens in git-credential-cache
> and suggest alternatives.
> +PERSONAL ACCESS TOKENS
> +----------------------
> +
> +Some remotes accept personal access tokens, which are randomly
> +generated and hard to memorise. They typically have a lifetime of weeks
> +or months.
> +
> +git-credential-cache is inherently unsuitable for persistent storage of
> +personal access tokens. The credential will be forgotten after the cache
> +timeout. Even if you configure a long timeout, credentials will be
> +forgotten if the daemon dies.
Very true.
> +To avoid frequently regenerating personal access tokens, configure a
> +credential helper with persistent storage.
Like libsecret and osxkeychain, you mean? I am wondering if we want
to be a bit more helpful by being explicit. I think there is a
section in a maual page that has a list of known and often-used
credential backends, so referring the readers to that section may be
helpful.
> Alternatively, configure an
> +OAuth credential helper to generate credentials automatically. See
> +linkgit:gitcredentials[7].
Indeed. |
On the Git mailing list, wrote (reply to this): On January 10, 2025 1:17 PM, Junio C Hamano wrote:
>Subject: Re: [PATCH] docs: discuss caching personal access tokens
>
>"M Hickford via GitGitGadget" <[email protected]> writes:
>
>> From: M Hickford <[email protected]>
>>
>> Describe problems storing personal access tokens in
>> git-credential-cache and suggest alternatives.
>
>> +PERSONAL ACCESS TOKENS
>> +----------------------
>> +
>> +Some remotes accept personal access tokens, which are randomly
>> +generated and hard to memorise. They typically have a lifetime of
>> +weeks or months.
>> +
>> +git-credential-cache is inherently unsuitable for persistent storage
>> +of personal access tokens. The credential will be forgotten after the
>> +cache timeout. Even if you configure a long timeout, credentials will
>> +be forgotten if the daemon dies.
>
>Very true.
>
>> +To avoid frequently regenerating personal access tokens, configure a
>> +credential helper with persistent storage.
>
>Like libsecret and osxkeychain, you mean? I am wondering if we want to be
a bit
>more helpful by being explicit. I think there is a section in a maual page
that has a
>list of known and often-used credential backends, so referring the readers
to that
>section may be helpful.
>
>> Alternatively, configure an
>> +OAuth credential helper to generate credentials automatically. See
>> +linkgit:gitcredentials[7].
>
>Indeed.
My solution for this is to write a custom credential manager that is PAT
aware. The one I built
does not support OAuth or OAuth2. This is non-trivial when dealing with a
CLI. Integrating
with something like MS Authenticator might be a reasonable option for some.
|
User |
1980f6a
to
1e33e7c
Compare
There are issues in commit 286bbfc: |
On the Git mailing list, M Hickford wrote (reply to this): On Fri, 10 Jan 2025 at 18:16, Junio C Hamano <[email protected]> wrote:
>
> "M Hickford via GitGitGadget" <[email protected]> writes:
>
> > From: M Hickford <[email protected]>
> >
> > Describe problems storing personal access tokens in git-credential-cache
> > and suggest alternatives.
>
> > +PERSONAL ACCESS TOKENS
> > +----------------------
> > +
> > +Some remotes accept personal access tokens, which are randomly
> > +generated and hard to memorise. They typically have a lifetime of weeks
> > +or months.
> > +
> > +git-credential-cache is inherently unsuitable for persistent storage of
> > +personal access tokens. The credential will be forgotten after the cache
> > +timeout. Even if you configure a long timeout, credentials will be
> > +forgotten if the daemon dies.
>
> Very true.
>
> > +To avoid frequently regenerating personal access tokens, configure a
> > +credential helper with persistent storage.
>
> Like libsecret and osxkeychain, you mean? I am wondering if we want
> to be a bit more helpful by being explicit. I think there is a
> section in a maual page that has a list of known and often-used
> credential backends, so referring the readers to that section may be
> helpful.
I agree, explicit is more helpful. I shall expand that
gitcredentials.txt section in patch v2.
>
> > Alternatively, configure an
> > +OAuth credential helper to generate credentials automatically. See
> > +linkgit:gitcredentials[7].
>
> Indeed. |
git-credential-store saves credentials unencrypted on disk. It is the least secure choice of credential helper. Nevertheless, it appears several times more popular than any other credential helper [1]. Inform users about more secure alternatives. [1] https://stackoverflow.com/questions/35942754/how-can-i-save-username-and-password-in-git Signed-off-by: M Hickford <[email protected]>
Describe problems storing personal access tokens in git-credential-cache and suggest alternatives. Research suggests that many users are confused about this: > the point of passwords is that (ideally) you memorise them [so] > they're never stored anywhere in plain text. Yet GitHub's personal > access token system seems to basically force you to store the token in > plain text? https://stackoverflow.com/questions/46645843/where-to-store-my-git-personal-access-token#comment89963004_46645843 Signed-off-by: M Hickford <[email protected]>
1e33e7c
to
ac8c5e1
Compare
/submit |
Submitted as [email protected] To fetch this version into
To fetch this version to local tag
|
This patch series was integrated into seen via git@89052f4. |
This branch is now known as |
This patch series was integrated into seen via git@1a6fedb. |
This patch series was integrated into seen via git@88323b2. |
There was a status update in the "New Topics" section about the branch Document that it is insecure to use Personal Access Tokens, which some hosting providers take as username/password, embedded in URLs. Will merge to 'next'. source: <[email protected]> |
This patch series was integrated into seen via git@c5ac9dd. |
This patch series was integrated into seen via git@dff7335. |
This patch series was integrated into seen via git@e2ffb8a. |
This patch series was integrated into seen via git@3883242. |
This patch series was integrated into seen via git@8561b40. |
This patch series was integrated into next via git@a70beab. |
There was a status update in the "Cooking" section about the branch Document that it is insecure to use Personal Access Tokens, which some hosting providers take as username/password, embedded in URLs. Will merge to 'master'. source: <[email protected]> |
This patch series was integrated into seen via git@666fda1. |
This patch series was integrated into seen via git@dabc297. |
This patch series was integrated into seen via git@a958573. |
There was a status update in the "Cooking" section about the branch Document that it is insecure to use Personal Access Tokens, which some hosting providers take as username/password, embedded in URLs. Will merge to 'master'. source: <[email protected]> |
This patch series was integrated into seen via git@ee6b633. |
This patch series was integrated into seen via git@6ecb4fc. |
This patch series was integrated into master via git@6ecb4fc. |
This patch series was integrated into next via git@6ecb4fc. |
Closed via 6ecb4fc. |
CC: [email protected]
CC: [email protected]
CC: [email protected]
CC: [email protected]
CC: [email protected]
cc: [email protected]
Patch v2 adds a list of popular credential helpers.