M Hickford <mirth.hickford@xxxxxxxxx> writes: > It would be neat to warn similarly if the user includes a personal access token in the *user* field of the remote URL: > > git clone https://<pat>@github.com/... > > This is a popular practice according to StackOverflow > https://stackoverflow.com/a/70320541/284795 (800k views). > > GitHub personal access tokens are easily recognised by their > prefixes "ghp_" and "github_pat_" Curious. I do not think we have *any* code to special case such a "token", so to Git itself, https://<pat>@github.com/... should look as it (assuming <pat> does not have any colon in it) is trying to access the site with <pat> as the username. How do we _know_ that this request with <pat> do not need a password? I ask because I'd prefer not to see us hardcoding any hosting-site specific heuristics in the code, and these users apparently are doing fine without any such hardcoding. If we can reuse the mechanism that is letting them do so when deciding if we should warn, it would be great. Are users expected to configure their credential helpers know that it is a <pat> (perhaps with authtype=Bearer)? Sorry for not giving any answer and piling more questions on top.
