Add support for git authentification

robwierzbowski / grunt-build-control

Version control your built code.

MIT License

380 stars 36 forks source link

Add support for git authentification #45

Closed SBoudrias closed 9 years ago

SBoudrias commented 9 years ago

When running in a CI environment (for instance Travis), there's no ssh key to help authenticating someone to the remote git.

Github provide https git endpoints that work this way: https://<user>:<token>@github.com/repo.git

We sure can provide the formatted URL manually, but this makes it tricky to keep the secure token out of the logs. Adding a user/token options and ensuring in the task we never log the token would be pretty useful.

kevinawoo commented 9 years ago

Interesting, are you planning on reading the user/token from a untracked file? Would it be possible to to do the same with the url itself, read that from an untracked file?

SBoudrias commented 9 years ago

Untracked file or server settings. For example you'd set a set encoded key in your .travis.yml.

The thing is we don't want to set a manually configured URL variable because this information is not seen as "secure" information, so chances are future updates to the project will log the secret key without realizing. Having specific login credential and handling them inside the plugin will ensure author changing the code realize these are privates informations.

kevinawoo commented 9 years ago

Got it.

I'll look into it after I make some tests.

How did you expect your gruntfile config to look like for this?

SBoudrias commented 9 years ago

buildcontrol: {
  url: 'https://my-app.com',
  login: 'myname',
  token: 'secret-https-token'
}

And the buildcontrol would generate final url as: https://myname:secret-https-token@my-app.com making sure to never log the name and the token. Like:

pushing to https://<CREDENTIALS>@my-app.com
Done!

kevinawoo commented 9 years ago

I had the idea of overriding grunt.log functions to filter out the login and token.

Any thoughts? https://github.com/robwierzbowski/grunt-build-control/compare/feature/sensitive-logging

SBoudrias commented 9 years ago

I feel like using the url utility would be cleaner than parsing url strings: http://nodejs.org/api/url.html

About the logging the sound good, maybe I'd parse login and token independently in order to not rely on a specific syntax.

kevinawoo commented 9 years ago

Good idea on url.

I'm concerned for the case of http://kevinawoo:1111@github.com/kevinawoo/grunt-build-control.git

where { login: 'kevinawoo' }

the url library uses auth being user:pass, so I don't think it should be much of a problem

SBoudrias commented 9 years ago

Yeah, current log parsing seems good enough. Maybe just scrub the token on it's own too just for extra security - I'm just a bit paranoïd here.

kevinawoo commented 9 years ago

Can do, I'll go one step further and scrub it case insitive too!