python-github-backup icon indicating copy to clipboard operation
python-github-backup copied to clipboard

Published 20 hours ago verified publisher icon josegonzalez

Add cross platform credential store support

Open martintoreilly opened this issue 8 years ago • 3 comments

Description

Release 0.13.0 added support for fetching a Github personal access token (PAT) that had been previously stored in the OSX Keychain. It would be good to extend this support to Windows and Linux also.

Notes

Existing Python packages

It looks like functionality to interact with system credential stores for various operating systems from Python already exists. For example the Python keyring package (Github repository) supports OSX Keychain, Windows Credential Vault, Freedesktop Secret Service (requires secretstorage) and KWallet (requires dbus).

By using something like keyring for the token storage, cross-platform support should be easy to add.

Potential improvement to user credential provision

If we can support the system credential stores for the main operating systems, we could potentially streamline the user experience for provision of credentials. However, if we create a new user workflow for this, we need to ensure we don't get in the way of users who manage their credentials using git itself (e.g. SSH keys or using a credential.helper).

A potential option might be to deprecate the --keychain-name and --keychain-account arguments in favour of an argument that tells github-backup to look in the system credential store for a PAT. This will preserve the existing behaviour of proceeding to call the Github API / git with no credentials if no credential-related arguments are passed to github-backup. Two potential options for this are:

  1. Add a new boolean argument (e.g. --use-system-keyring)
  2. Extend the -t token argument to interprest a special value as an instruction to use the system credential store (e.g. -t use-system-keyring

When the new argument is provided, a potential user interaction workflow might be:

  • Automatically look for a default credential name + username pair in the system credential store. I would suggest using github-backup for the credential name and the Github username argument (-u) as the username.
  • If the credential exists, then retrieve the PAT.
  • If the credential does not exist, then prompt the user to enter a PAT at the command prompt and create a new credential using the default credential name + username so they will not be prompted for it next time.

@josegonzalez What are your thoughts on the above user interaction change suggestion?

martintoreilly avatar Apr 05 '17 17:04 martintoreilly

Also, I'm happy to implement this, so please feel free to assign this issue to me.

martintoreilly avatar Apr 05 '17 17:04 martintoreilly

This all seems fine. Go forth and program! (tests would be nice).

josegonzalez avatar Apr 05 '17 18:04 josegonzalez

Another option is to use whatever https://github.com/cli/cli uses to store credentials.

make-github-pseudonymous-again avatar Dec 29 '21 14:12 make-github-pseudonymous-again