Retrieve auth token from git credential helper

spacedentist / spr

Submit pull requests for individual, amendable, rebaseable commits to GitHub

https://getcord.github.io/spr/

MIT License

373 stars 32 forks source link

Retrieve auth token from git credential helper #83

Open oyamauchi opened 2 years ago

oyamauchi commented 2 years ago

Git has a way to store repo credentials, which includes GitHub tokens; spr should have a way to use that, instead of needing spr.githubAuthToken. This would avoid having copies of tokens all over the place in .git/config files.

In my global .gitconfig:

[credential]
helper = store

The store helper by default stores credentials in ~/.git-credentials, which looks like:

https://oyamauchi:ghp_*******@github.com

Then this code retrieves credentials for the repo at the URL you pass to CredentialHelper::new:

use git2::Config;
use git2::CredentialHelper;

fn main() {
  let config = Config::open_default().unwrap();
  let mut cred_helper = CredentialHelper::new("https://github.com/getcord/spr.git");
  cred_helper.config(&config);
  println!("{:?}", cred_helper.execute());
}

Which outputs:

Some(("oyamauchi", "ghp_*******"))

sven-of-cord commented 2 years ago

Interesting. I can see the problem. .git/config files are generally readable by any user. It's not the right place to store credentials. This must be fixed.

I'm not sure if just using git credentials is a user friendly solution. One, because the user has to set something up, or credentials are not persisted. Two, because it overlaps with other use cases. A user may have stored some GitHub credentials in git-credentials already (maybe to be able to git fetch from any GitHub https address), but those credentials may not have the scopes that spr needs. Three, I can't find a way to store credentials using git2. It can retrieve them through the CredentialHelper, but I don't see how it can write them. Four, I like to be able to use different creds in different local repos (having a personal and a work GitHub account). The last one is probably a fringe use case, not relevant for most people.

I looked at the GitHub CLI tool (gh), and it maintains its own file to store credentials (~/.config/gh/hosts.yml), with restrictive file permissions. It stores them by-host, so in that sense it's very similar to Git's credential storage.

I'll have another think...

oyamauchi commented 2 years ago

Yeah, I don't think it necessarily has to be git-credentials, just some kind of centralized storage. (1) because of the security angle, and (2) because it's more convenient, like if you have multiple repos where you're using spr.

sunshowers commented 3 weeks ago

Related to this, it would be great if we could configure the token to be fetched via a simple command -- my personal preference for this would be to store it in 1password and use their shell command op to fetch it. That would be a pretty agnostic way to do this.