ghi icon indicating copy to clipboard operation
ghi copied to clipboard

Published 20 hours ago verified publisher icon stephencelis

ghi shouldn't prompt for your password

Open jacobian opened this issue 8 years ago • 7 comments

It's bad practice to teach users to enter their passwords into random places; I'd really love to see ghi set a stronger security bar.

There are probably a few different ways to not prompt for passwords (including becoming a full-fledged Oauth client); here's one that works right now, and could be implemented just with a documentation fix:

Go to https://github.com/settings/tokens and generate a personal access token, give it repo perms, then run git config --global ghi.token <that token>.

jacobian avatar Jun 16 '16 22:06 jacobian

I agree. Even though the software says it doesn't store the password, having to trust a unknown software(If they haven't seen the code), is a bad habit. As mentioned in OP, We should either use oath or prompt the user to generate the token through github.

shubhamshuklaer avatar Jun 17 '16 01:06 shubhamshuklaer

I also strongly agree with this. This is indeed a super cool project and I love it, but I would be much happier if I don't have to type my Github password into it..

heejongahn avatar Jul 16 '16 21:07 heejongahn

Hi, apologies for not getting around to this issue sooner.

It's bad practice to teach users to enter their passwords into random places; I'd really love to see ghi set a stronger security bar.

I completely agree with @jacobian here as I'm sure other collaborators will. I'm not sure when I'll have the time to implement this but I'd love to see a PR for it.

AlexChesters avatar Jul 21 '16 09:07 AlexChesters

See #320

davidascher avatar Sep 03 '16 17:09 davidascher

It's bad practice to teach users to enter their passwords into random places

It's only marginally better to teach them that it's OK to store tokens in plaintext on disk.

Git already has a rich set of commands around secure credential storage that can interface with your OS's built-in secret storage; why not re-use that instead of reinventing the wheel? https://github.com/github/hub/issues/1217

technomancy avatar Jan 05 '17 21:01 technomancy

Agreed that a better solution is needed, but regardless, there should at least be a heads-up to users in the readme that they will need to authenticate. I was unaware of this and would have preferred a warning in the readme.

gness1804 avatar Feb 13 '17 05:02 gness1804

I added instructions to the wiki

content posted on wiki
  • Can I authenticate without a password?

Yes, you may generate a personal access token. Visit github.com/settings/tokens/new to create your token:

personal access token page with "repo" checked

Click "Generate Token"

example 40 hex char access token

Then configure ghi to use your token.

git config --global ghi.token 036a0402c51c9a3f7de405793d12cffe6ae354d5

brigand avatar Jan 17 '19 21:01 brigand