hub
hub copied to clipboard
mislav
`hub clone public/repo` should not prompt for authentication
I commonly drop hub onto a new laptop just for the hub clone user/project syntax. It'd be awesome if that usage didn't require authentication for public repositories. In fact, I'd ideally rather it didn't prompt for authentication at all and just translated the URL; I configure git to use ssh for all github repositories and so my ssh keys will silently kick in and allow the clone to succeed.
This has come up multiple times and I've dismissed it in the past, but by now it's clear that this is a shared pain. I agree that for public repos, whatever API requests are being made could be made using the public API without authentication. However, hub clone user/project would fail if user/project is a private repo. Would this be acceptable behavior?
You could imagine issuing the request and prompting for auth if you get back a 403 or 404; This is analogous to how git clone https://github.com/user/project works, AFAIK.
I expect I'm missing something, but personally I don't see the merits of making an API call at all; I'd rather just shell out to git and not hit the API at all for hub clone. Certainly my muscle memory instead of hub clone is to git clone and prepend [email protected]:
My use case is the same as OP.
I came here to report the same issue after I couldn't figure out why cloning a private repo like git clone [email protected]:myorg/myrepo.git works fine but hub clone myorg/myrepo fails (prompting for authentication).
I attempted to leave the authentication prompts blank, give them bogus creds, etc to see if it would fallback to SSH key authentication but no dice.
Is it not possible to hub clone ... on private repos today? (If this is the case, can we document it?)
I also saw the HUB_PROTOCOL env var mentioned in issue https://github.com/github/hub/issues/1788.
I gave that a shot but ran into the same issue:
$ export HUB_PROTOCOL=git
$ hub clone myrepo/myorg
github.com username: ^C
$ export HUB_PROTOCOL=ssh
$ hub clone myrepo/myorg
github.com username: ^C
@tedmiston See https://github.com/github/hub/issues/1644#issuecomment-359002547
Thanks - I don't think it's clear to me why we would need to hit the GitHub API to clone. Couldn't it simply be building the git clone ... command as a string from the input and running that directly?
I do this already in other scripts by generating a personal access token.
Couldn't it simply be building the
git clone ...command as a string from the input and running that directly?
It could, yes. That's why this issue is still open. However, almost all other hub commands will eventually need to authenticate to GitHub API over HTTPS (either using username/password or a Personal Access Token). Hub can't use GitHub API over SSH. If you don't want hub to communicate to GitHub API, you will have to avoid using hub altogether.
That makes sense. I do want to communicate with the GitHub API on operations that require it. I would strongly prefer not to grant access to that via my raw creds... I also have 2FA on my account and couldn't find documented whether that was supported.
I found in the docs that it's possible to bypass the username and password prompt by alternatively providing an access token via the GITHUB_TOKEN env var.
Is it possible to store this token somewhere else besides e.g., a global env var in my ~/.bash_profile? Like git config, ~/.config/hub, etc? Alternatively, is there a way to receive a prompt that accepts the access token, instead of username & password, and takes core of storing it?
I also have 2FA on my account and couldn't find documented whether that was supported.
2FA is supported. After supplying username and password, you will be prompted for 2FA code.
I would strongly prefer not to grant access to that via my raw creds...
Sure, that makes sense. FWIW, hub doesn't send nor store your password anywhere else other than using it to log into https://api.github.com one time. The code is open source so you can easily verify this.
Is it possible to store this token somewhere else besides e.g., a global env var
Yes. You can paste your Personal Access Token instead of your password after being prompted for username on the command line.
The way it works now would be tolerable (?) if it was documented. The getting started page apparently covers cloning public repositories, but it doesn't mention authentication one bit. Authentication is covered by the man page to a degree. But I just tried using hub on another laptop, it asked for username/password, then said, "Not Found." 2FA? On my old laptop it worked. It took me a while to figure out that I can store the Personal access token in ~/.config/hub. An undocumented feature? A deprecated feature?
I had the same problem as @x-yuri. Here's an example of what ~/.config/hub should look like:
github.com:
- user: {your username}
oauth_token: {personal token from https://github.com/settings/tokens}
Storing a permanent token in a plain text file doesn't feel very secure, though. Is there a better way?
Storing a permanent token in a plain text file doesn't feel very secure, though. Is there a better way?
Yeah, I don't like it either. I don't know if ~/.config/hub format is documented, but if this config could be read from ~/.gitconfig instead, it would be possible to store the token in macOS Keychain (or similar for other OS) and dynamically read, as suggested here since git-config can exec scripts to fetch this value.
