On January 10, 2025 4:33 PM, Junio C Hamano wrote: >M Hickford <mirth.hickford@xxxxxxxxx> writes: > >> It would be neat to warn similarly if the user includes a personal access token in >the *user* field of the remote URL: >> >> git clone https://<pat>@github.com/... >> >> This is a popular practice according to StackOverflow >> https://stackoverflow.com/a/70320541/284795 (800k views). >> >> GitHub personal access tokens are easily recognised by their prefixes >> "ghp_" and "github_pat_" > >Curious. I do not think we have *any* code to special case such a "token", so to Git >itself, https://<pat>@github.com/... should look as it (assuming <pat> does not >have any colon in it) is trying to access the site with <pat> as the username. > >How do we _know_ that this request with <pat> do not need a password? I ask >because I'd prefer not to see us hardcoding any hosting-site specific heuristics in the >code, and these users apparently are doing fine without any such hardcoding. If we >can reuse the mechanism that is letting them do so when deciding if we should >warn, it would be great. > >Are users expected to configure their credential helpers know that it is a <pat> >(perhaps with authtype=Bearer)? This is why I implemented my own credential layer - sorry, cannot share, but can describe if asked (maybe at a Git Merge? 😉 ). Git should not need to know about GitHub specific access methods for HTTPS, where PAT is required for git push. There is no password for PAT use, which makes it highly insecure if persisted on disk - I do not know why GitHub went down that path, I guess they did not want any potential CVEs associated with SSH-like passphrases. PAT became a real annoyance for my community, so I had to do something quick and adding my own credential manager seemed expedient (and works pretty well - but if someone wants to do this, they must be very careful managing access to the cached PAT's memory use). The primary use case in my situation is not actually git push, but the creation of Pull Requests on GitHub from scripts or a CLI since NonStop has no GUI adapter to access their website. > >Sorry for not giving any answer and piling more questions on top.
