On 2024-11-15 at 13:02:21, Sachin tiwari wrote: > Sachin tiwari <sjtiwari007@xxxxxxxxx> > > 18:28 (3 minutes ago) > to git > Hello, > Title:Git Clones Repository Even After Incorrectly Inputting Personal > Access Token (PAT) and Leaving Password Blank > > Description: > When cloning a repository using HTTPS, Git prompts for the username > and password. However, if a Personal Access Token (PAT) is mistakenly > entered when prompted for a username and the password is left empty, > the repository is cloned successfully without any authentication > failure. This behavior should not occur, as Git should ideally reject > the clone operation when a PAT is input as a username and no password > is provided. This isn't a bug. Git itself has no way of knowing whether what you put in a field is a username, password, token, or something else entirely. The decision on authentication is made by the remote system, and it can apply arbitrary policies on what to accept and what not to. My guess is that you're using GitHub, and GitHub allows you to do this. GitHub requires that you use a token, and it can be in the username or password field, mostly for backwards compatibility (changing it now would break a lot of things and isn't really possible). I would say that it's definitely strongly recommended to not put secrets in the username, because many tools will filter passwords from logs, but the username is often not filtered, so you _should not_ do this, but with GitHub, you can indeed do it if you really want. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
