Hey Bryan, Yes that will happen he will get a prompet for username/password but he already provided them in the URL and it worked before. He could clone. I think this is a little bit confusing. My problem is that the tool I'm trying to build is trying to provide the username used to log in via an environment variable. And due to the fact that the anonymous login is always the first to be tried, even if the user provides an username/password on the URL I'm not able to retrieve it. On Sat, Mar 5, 2016 at 11:20 AM, Bryan Turner <bturner@xxxxxxxxxxxxx> wrote: > On Fri, Mar 4, 2016 at 9:51 PM, Guilherme <guibufolo@xxxxxxxxx> wrote: >> Hi, >> >> When doing basic authentication using git clone by passing the >> username and password in the url git clone will first send a GET >> request without the authorization header set. >> >> Am i seeing this right? > > I believe this is an intentional behavior in either cURL or how Git > uses it. Credentials aren't sent until the server returns a challenge > for them, even if you include them in your clone URL or elsewhere. So > yes, you're seeing it right. > >> >> This means that if the counterpart allows anonymous cloning but not >> pushing and the user provided a wrong usernam/password, it has two >> options: > > I'm not sure why this would be true. If the remote server allows > anonymous clone/fetch, then you never get prompted for credentials > and, even if they're supplied, they're never sent to the remote > server. If you then try to push, if the server is working correctly it > should detect that anonymous users can't push and it should return a > 401 with a WWW-Authenticate header. When the client receives the 401, > it should send the credentials it has (or prompt for them if it > doesn't have them) and the push should work without issue. > > Perhaps there's an issue with how your server is setup to handle permissions? > >> >> 1. Allow the access and leave the user to figure out why he is not able to push. >> >> 2. Reply by setting the WWW-Authentication header and see if a >> password/username is provided. This has the downside that if no >> username and password is provided the user will still get a login >> prompt for password and username. Upon entering twice nothing he will >> still be able to clone. This can be confusing. >> >> Can this behaviour of git clone (and I guess all the other parts that >> do basic auth) be changed to provide the authentication header right >> on the first request? Or am I doing/interpreting it wrong? >> >> Thank you. >> -- >> To unsubscribe from this list: send the line "unsubscribe git" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html