Read PT token from ENV - Githubissues

mezis / git-whistles

A set of bells and whistles for your Git.

Other

64 stars 15 forks source link

Read PT token from ENV #34

Closed tadejm closed 8 years ago

tadejm commented 9 years ago

Many of us have .gitconfig committed and pushed in the dotfiles public repo on GitHub.

Myself I store sensitive keys in a .private file which is ignored by git that get's sources when the env loads.

In order to prevent PT token leaking my suggestion is to check if PIVOTAL_TOKEN env variable exists and take that as a precedence over git config pivotal-tracker.token.

Thoughts?

pedrocunha commented 9 years ago

Hello @tadejm, thanks for your suggestion. I see one problem in that solution - what if the user has different pivotal tracker accounts?

Also, your pivotal-tracker.token should only be visible on your .gitconfig if you set it through the --global flag or am I wrong ?

tadejm commented 9 years ago

I see your point. A possible solution would be not to store the pivotal token in the global gitconfig but rather have it specified by project in the <project root>/.git/config. That gives you the flexibility of per project token.

However if you're using a single token for all the projects, having a possibility of setting it as ENV variable decreases a potential security bridge (accidental global gitconfig ends in a public repo on GH)

So the logic would be something like:

check if the token exists in gitconfig (either on global or per project level)
if not found check if there's a PIVOTAL_TOKEN env varialbe is set
if not exit with error message

mezis commented 9 years ago

So the logic would be something like:

@tadejm that's the default behaviour. Your PT token doesn't have to be global; you can specify it per-repo, which is how Im using it regularly.

git config pivotal-tracker.token will read from the current repo and fall back to the default value.

pedrocunha commented 9 years ago

@tadejm does @mezis solution work for you?

tadejm commented 9 years ago

Yes, that works, though it’s a workaround.

However, I’m still keen on spiking the proposed solution. I’ll let you guys then decide whether you see it as part of the gem or not.

On 23 Oct 2014, at 12:04, Pedro Cunha notifications@github.com wrote:

@tadejm https://github.com/tadejm does @mezis https://github.com/mezis solution work for you?

— Reply to this email directly or view it on GitHub https://github.com/mezis/git-whistles/issues/34#issuecomment-60223115.

pedrocunha commented 8 years ago

Hey @tadejm I'll close this for now. Feel free to open this again if you make any progress / contribute to it. Thank you.