On Fri, Mar 4, 2016 at 9:51 PM, Guilherme <guibufolo@xxxxxxxxx> wrote: > Hi, > > When doing basic authentication using git clone by passing the > username and password in the url git clone will first send a GET > request without the authorization header set. > > Am i seeing this right? I believe this is an intentional behavior in either cURL or how Git uses it. Credentials aren't sent until the server returns a challenge for them, even if you include them in your clone URL or elsewhere. So yes, you're seeing it right. > > This means that if the counterpart allows anonymous cloning but not > pushing and the user provided a wrong usernam/password, it has two > options: I'm not sure why this would be true. If the remote server allows anonymous clone/fetch, then you never get prompted for credentials and, even if they're supplied, they're never sent to the remote server. If you then try to push, if the server is working correctly it should detect that anonymous users can't push and it should return a 401 with a WWW-Authenticate header. When the client receives the 401, it should send the credentials it has (or prompt for them if it doesn't have them) and the push should work without issue. Perhaps there's an issue with how your server is setup to handle permissions? > > 1. Allow the access and leave the user to figure out why he is not able to push. > > 2. Reply by setting the WWW-Authentication header and see if a > password/username is provided. This has the downside that if no > username and password is provided the user will still get a login > prompt for password and username. Upon entering twice nothing he will > still be able to clone. This can be confusing. > > Can this behaviour of git clone (and I guess all the other parts that > do basic auth) be changed to provide the authentication header right > on the first request? Or am I doing/interpreting it wrong? > > Thank you. > -- > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html