Open oyamauchi opened 2 years ago
Interesting. I can see the problem. .git/config
files are generally readable by any user. It's not the right place to store credentials. This must be fixed.
I'm not sure if just using git credentials is a user friendly solution. One, because the user has to set something up, or credentials are not persisted. Two, because it overlaps with other use cases. A user may have stored some GitHub credentials in git-credentials already (maybe to be able to git fetch
from any GitHub https address), but those credentials may not have the scopes that spr needs. Three, I can't find a way to store credentials using git2. It can retrieve them through the CredentialHelper
, but I don't see how it can write them. Four, I like to be able to use different creds in different local repos (having a personal and a work GitHub account). The last one is probably a fringe use case, not relevant for most people.
I looked at the GitHub CLI tool (gh
), and it maintains its own file to store credentials (~/.config/gh/hosts.yml
), with restrictive file permissions. It stores them by-host, so in that sense it's very similar to Git's credential storage.
I'll have another think...
Yeah, I don't think it necessarily has to be git-credentials, just some kind of centralized storage. (1) because of the security angle, and (2) because it's more convenient, like if you have multiple repos where you're using spr.
Related to this, it would be great if we could configure the token to be fetched via a simple command -- my personal preference for this would be to store it in 1password and use their shell command op
to fetch it. That would be a pretty agnostic way to do this.
Git has a way to store repo credentials, which includes GitHub tokens; spr should have a way to use that, instead of needing
spr.githubAuthToken
. This would avoid having copies of tokens all over the place in.git/config
files.In my global .gitconfig:
The
store
helper by default stores credentials in~/.git-credentials
, which looks like:Then this code retrieves credentials for the repo at the URL you pass to
CredentialHelper::new
:Which outputs: