spr icon indicating copy to clipboard operation
spr copied to clipboard
verified publisher icon spacedentist

Retrieve auth token from git credential helper

Open oyamauchi opened this issue 3 years ago • 3 comments

Git has a way to store repo credentials, which includes GitHub tokens; spr should have a way to use that, instead of needing spr.githubAuthToken. This would avoid having copies of tokens all over the place in .git/config files.

In my global .gitconfig:

[credential]
helper = store

The store helper by default stores credentials in ~/.git-credentials, which looks like:

https://oyamauchi:ghp_*******@github.com

Then this code retrieves credentials for the repo at the URL you pass to CredentialHelper::new:

use git2::Config;
use git2::CredentialHelper;

fn main() {
  let config = Config::open_default().unwrap();
  let mut cred_helper = CredentialHelper::new("https://github.com/getcord/spr.git");
  cred_helper.config(&config);
  println!("{:?}", cred_helper.execute());
}

Which outputs:

Some(("oyamauchi", "ghp_*******"))

oyamauchi avatar Jun 25 '22 16:06 oyamauchi

Interesting. I can see the problem. .git/config files are generally readable by any user. It's not the right place to store credentials. This must be fixed.

I'm not sure if just using git credentials is a user friendly solution. One, because the user has to set something up, or credentials are not persisted. Two, because it overlaps with other use cases. A user may have stored some GitHub credentials in git-credentials already (maybe to be able to git fetch from any GitHub https address), but those credentials may not have the scopes that spr needs. Three, I can't find a way to store credentials using git2. It can retrieve them through the CredentialHelper, but I don't see how it can write them. Four, I like to be able to use different creds in different local repos (having a personal and a work GitHub account). The last one is probably a fringe use case, not relevant for most people.

I looked at the GitHub CLI tool (gh), and it maintains its own file to store credentials (~/.config/gh/hosts.yml), with restrictive file permissions. It stores them by-host, so in that sense it's very similar to Git's credential storage.

I'll have another think...

sven-of-cord avatar Jun 27 '22 20:06 sven-of-cord

Yeah, I don't think it necessarily has to be git-credentials, just some kind of centralized storage. (1) because of the security angle, and (2) because it's more convenient, like if you have multiple repos where you're using spr.

oyamauchi avatar Jun 27 '22 21:06 oyamauchi

Related to this, it would be great if we could configure the token to be fetched via a simple command -- my personal preference for this would be to store it in 1password and use their shell command op to fetch it. That would be a pretty agnostic way to do this.

sunshowers avatar Jun 11 '24 20:06 sunshowers