search

r-lib / gitcreds

Query git credentials from R
https://gitcreds.r-lib.org/
Other
27 stars 10 forks source link

gitcreds can inadvertently use oauth token deposited by github's gh cli #33

Closed maxheld83 closed 3 years ago

maxheld83 commented 3 years ago

I think GitHub's gh CLI may deposit its (oauth!) token in such a way that it may be (inadvertently?) used by gitcreds:

gh auth refresh
Rscript -e "gitcreds::gitcreds_get()"
<gitcreds>
  protocol: https
  host    : github.com
  username: maxheld83
  password: <-- hidden -->
gh::gh_whoami()
#> {
#>   "name": "Max Held",
#>   "login": "maxheld83",
#>   "html_url": "https://github.com/maxheld83",
#>   "scopes": "gist, read:org, repo, workflow",
#>   "token": "gho_...NEf6"
#> }

as per the token prefix, this is an oauth access token, not a PAT.

This has happened to me as I first installed and played around with GitHub's gh (!= r-lib/gh), and then tried to deposit another PAT into gitcreds::gitcreds_set().

Because the two are username-keyed (maxheld83@https://github.com in this case), it appears that setting one (oauth token from gh, or PAT from github ui) will always replace the other.

I'm not sure this is a problem per se, just thought it was a bit odd/unexpected. Coming from a PAT-world, perhaps it is possible that this can lead to unexpectedly elevated scopes under some scenarios.

(A related problem with more discussion arises in credentials, which doesn't expect username-keyed tokens https://github.com/r-lib/credentials/issues/16)

gaborcsardi commented 3 years ago

Coming from a PAT-world, perhaps it is possible that this can lead to unexpectedly elevated scopes under some scenarios.

The gh cli sets a generic token, that is also used by command line git. I assume this is by design.

gitcreds by default uses the same token as command line git, which is the whole point of it. In fact gitcreds just calls command line git to get/set the credentials.

In general people only want a single token for the a single user, on the same machine. Since all programs have access to command line git's credentials, it is hard to imagine a case when this causes security issues.

It seems like you want to use a different token for GH cli and R packages based on gitcreds. This is surely possible with some extra setup. The exact setup probably depends on the credential helper you use. Which token do you want to use in command line git (and thus RStudio)?

maxheld83 commented 3 years ago

I have no need for using separate tokens, I was just surprised by this sharing of tokens and confused what's considered good practice here.

Apologies for the noise.

Reopen if you'd like to add 2-3 sentences somewhere appropriate in the docs to point this out.