gitea icon indicating copy to clipboard operation
gitea copied to clipboard
verified publisher icon go-gitea

Enable X-Gitea-OTP header for git operations

Open Kwonunn opened this issue 1 year ago • 12 comments

Feature Description

Currently, users with Multi-Factor Auth can't use http/https to perform git operations. The Gitea API does support sending the OTP along using the X-Gitea-OTP header. It would be useful if git operations also supported this header.

It is possible to add custom headers to git http requests using the -c http.extraHeaders="X-Gitea-OTP: 123456" flag.

This would be useful for one-time cloning of projects to computers where we don't want to set up our entire SSH key, and is a lot easier than creating an application token for the operation.

Screenshots

No response

Kwonunn avatar Jan 28 '24 11:01 Kwonunn

That sounds really exhausting because the OTP always needs to be refreshed. Why not use a PAT instead of the normal password?

KN4CK3R avatar Jan 28 '24 12:01 KN4CK3R

This is just for use in cases where I'm fetching a project once onto a server I don't want to set up SSH on.

Using tokens for this would either require making a fresh token every time which is annoying, or having one to always use which is a security hole.

Kwonunn avatar Jan 28 '24 14:01 Kwonunn

This is quite interesting. On one hand user/pass auth for api/git operations are being depreciated, but it does give the idea of otp with scoped tokens 🤔

techknowlogick avatar Jan 28 '24 15:01 techknowlogick

Is Gitea planning to deprecate http entirely for git operations?

Kwonunn avatar Jan 28 '24 15:01 Kwonunn

No, only the combination with username and password.

KN4CK3R avatar Jan 28 '24 16:01 KN4CK3R

Why, if I may ask? I know GitHub has stopped allowing it but I'm not quite sure why.

Kwonunn avatar Jan 28 '24 17:01 Kwonunn

Because the username/password combination should be used in less places in favor of configurable tokens.

KN4CK3R avatar Jan 28 '24 17:01 KN4CK3R

I see. Then, perhaps another method is more appropriate.

Maybe we could add a quick token button in this menu image which would generate a temporary personal access token scoped specifically to that repository and with read-only access, which you could use once to clone the repository somewhere?

Kwonunn avatar Jan 28 '24 17:01 Kwonunn

No, only the combination with username and password.

Why?

JakobDev avatar Jan 29 '24 10:01 JakobDev

No, only the combination with username and password.

Why?

https://github.com/go-gitea/gitea/issues/28968#issuecomment-1913668160 https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#background

KN4CK3R avatar Jan 29 '24 10:01 KN4CK3R

I see. Then, perhaps another method is more appropriate.

Maybe we could add a quick token button in this menu image which would generate a temporary personal access token scoped specifically to that repository and with read-only access, which you could use once to clone the repository somewhere?

Should I make a new feature request for this new idea and just leave the http OTP thing?

Kwonunn avatar Jan 29 '24 14:01 Kwonunn

Not beeing able to use Username/Password could be a problem for one time contributors

JakobDev avatar Jan 29 '24 15:01 JakobDev