Re: Remembering which http remotes require authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2023-06-21 at 06:30:33, M Hickford wrote:
> On Mon, 12 Jun 2023 at 22:22, brian m. carlson
> <sandals@xxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > What I would rather see instead is a way to indicate to Git that it
> > should always authenticate via a config option (probably something like
> > `http.*.alwaysAuth`).  I think this would work for your use case, but it
> > would also work for things like giving authenticated users higher rate
> > limits for public repositories.
> 
> Interesting. Do you know any such hosts that rate limit unauthenticated
> users? Do their users prefer SSH which always authenticates?

At GitHub, we do this with the API, and because Git LFS uses Git's
credentials and is technically implemented as part of the API, it
applies there as well.  I don't know that we have any intention of doing
it for Git operations themselves, but the reason we typically prefer
authentication is that if there's a problem, it's much easier and a
better experience to contact user XYZ and ask them to be more gentle
than to block their IP.

This is particularly useful for internal users at GitHub (like the
automatic dependency updating service, Dependabot), where we'd like to
account for who's performing lots of operations in terms of rate
limiting, and the alternative is that people use http.extraHeader or a
token in the URL, neither of which we want to encourage.  I'd much
rather rate-limit an internal service which is using too many resources
than impact unrelated users, but if they're all anonymous, that's hard.

> > I intend to add this feature at some point relatively soon, but I need
> > to sneak in a feature first to specify the authentication scheme as part
> > of the credential protocol, since we won't have it as part of the HTTP
> > 401 response.
> 
> Would it suffice to ask the user to specify the authentication scheme
> in the configuration? eg. `http.alwaysAuth=basic` or
> `http.alwaysAuth=digest`

That will probably work for most cases, but we may need to allow either
a scheme or a full WWW-Authenticate header, since in some cases there
may be parameters that are needed.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux