Improve multi-account git credential support when gh is not configured as git credential helper

[williammartin]

Describe the feature or problem you’d like to solve

I'm creating this issue as a continuation of #8678 (comment) because we've had a number of issues created where gh auth switch isn't working as expected.

Background Reading

When authenticating a GitHub account with gh, users expect that the active account token will be used in the following cases:

1. For API requests e.g. fetching issues via gh issues list
2. For git operations performed via the gh e.g. gh repo clone
3. Optionally: For git operations performed externally e.g. git push

During auth login, if the following conditionals are true:

1. The flow is interactive and capable of prompting
2. The chosen git protocol is https
3. gh is not the configured credential helper for the targeted host

Then the user is presented with the following prompt:

? Authenticate Git with your GitHub credentials? (Y/n)

The purpose of this prompt is to ensure that point 3. above is addressed. If gh is configured as the credential helper, then when git requests credentials, the token of the active user will always be provided. If the user chooses "Yes" the following things can happen:

1. If no credential helper is configured, then gh is configured as the credential helper.
2. If a credential helper is configured, it will be informed of the new credential.

Additionally, it is possible to set gh as the credential helper by running gh auth setup-git at a later time, and this will override previously configured credential helpers.

How does this relate to gh auth switch?

Consider the following case:

1. I am using gh as my credential manager
2. I have logged into two accounts williammartin and not-williammartin on a single host via gh auth login
3. In both cases I selected "Yes" to authenticate git with my GitHub credentials.
4. My currently active account is not-williammartin as that is the account I logged into most recently.
5. I run gh auth switch to change my active account to williammartin
6. I run git clone williammartin/private-repo and it is successful because git requests the active token from gh.

However, consdier what happens if we don't have gh as the configured credential helper:

1. I am not using gh as my credential manager
2. I have logged into two accounts williammartin and not-williammartin on a single host via gh auth login
3. In both cases I selected "Yes" to authenticate git with my GitHub credentials.
4. My currently active account is not-williammartin as that is the account I logged into most recently.
5. I run gh auth switch to change my active account to williammartin
6. I run git clone williammartin/private-repo and it fails because my credential manager has not been updated with the token for williammartin and the repository is private.

The issue here is that gh auth switch does not offer the opportunity to update the credential helper with the token of the account we are switching to.

Workarounds

Currently we suggest that users run gh auth setup-git so that gh is their credential manager however this falls short in two places:

1. It is reactive, only solving users after they are already in trouble
2. It does not allow users to remain on their chosen credential manager, which they may use for other reasons

Proposed solution

At a high level I think the correct thing to do is to interrogate the configured credential helper when auth switch is called. If gh is configured as the credential helper than we only need to update the token in the keyring as currently happens today. If gh is not configured as the credential helper then we should update it in a similar to manner to what we do during auth login. This may require an additional prompt and some consideration to be given between ssh and https.

[jonathanmorley]

I think a useful step towards making multi-account credential management easier would be to expand the availability of the --user flag.

I often use this flag when I want reliable access to a GH for a particular user.

I would like to add it to my git config (conditionally), such that it would be either gh auth --user jonathanmorley git-credentials or gh auth --user JMorley_emu git-credentials, depending on the repository I am trying to clone.

This is not currently possible though as the git-credentials command does not support that flag.

Better support for the git config setting [credential "https://gist.github.com"].username would also be another avenue for improvement. What I have found is that if this is provided, and gh has a different profile active, it prompts for the password for the username provided by git (but doesnt automatically provide it). If gh has that profile active, it does provide the credential.

[williammartin]

Thanks @jonathanmorley, this kind of thing has been mentioned before and seems to have some support. Would you mind creating a new issue so we can prioritise it. I'd like to keep this issue specifically relating to fixing auth switch for people not using gh as their credential manager. I'm going to update the title to capture that, at the time I created the issue I just knew there was some issue that I wanted to solve but not sure what so it was a bit vague and I can understand how you ended up here.

[williammartin]

Acceptance Criteria

Two accounts using https, interactive, no credential helper configured

Given I am running the CLI interactively
And I have no credential helper configured
And I am logged into two accounts and the host protocol is https
When I run gh auth switch
Then I am presented with a prompt to authenticate git with my github credentials
And When I accept it
Then running git operations uses the token of the account I switched to
And When I run gh auth switch again
Then I am not presented with the same prompt, but my git authentication is updated

Note: The goal here is the same as auth login, that if you have no credential helper configured we will set gh as your credential helper.

Two accounts using https, interactive, non gh credential helper configured

Given I am running the CLI interactively
And I have a credential helper configured that is not gh
And I am logged into two accounts and the host protocol is https
When I run gh auth switch
Then I am presented with a prompt to authenticate git with my github credentials
And When I accept it
Then running git operations uses the token of the account I switched to
And When I run gh auth switch again
Then I am presented with the same prompt and postconditions as above

Note: The goal here is the same as auth login, that if you a credential helper configured we will inform it of new credentials on your request but we won't set gh as your credential helper.

Two accounts using https, non-interactive

Given I am running the CLI non-interactively
And I have a credential helper configured that is not gh or no credential helper configured at all
And I am logged into two accounts both using https
When I run gh auth switch
Then I receive no prompt to authenticate git with my github credentials
And running git operations uses the token of the previously active account

Out of Scope

Two accounts using https, confirm flag provided

Given I have a credential helper configured that is not gh
And I am logged into two accounts and the host protocol is https
When I run gh auth switch --authenticate-git
Then I receive no prompt to authenticate git with my github credentials
And running git operations uses the token of the account I switched to

Two accounts using https, reject flag provided

Given I have a credential helper configured that is not gh
And I am logged into two accounts and the host protocol is https
When I run gh auth switch --authenticate-git=no
Then I receive no prompt to authenticate git with my github credentials
And running git operations uses the token of the previously active account

Logging into a new account, non-interactive, flag provided

Given I have a credential helper configured that is not gh
And I am logged into two accounts and the host protocol is https
When I run gh auth switch --authenticate-git
Then I receive no prompt to authenticate git with my github credentials
And running git operations uses the token of the account I switched to

Two accounts, one using https one using ssh, interactive

Warning

It not currently possible to use different protocols for different accounts on the same host. The protocol used will be the last one chosen in an auth login flow as documented in the help. We will need to support per-account configuration of git protocol before proceeding with this.

Given I am running the CLI interactively
And I have a credential helper configured that is not gh
And I am logged into two accounts, one with https and one with ssh
And The currently active account is using https
When I run gh auth switch
Then I receive no prompt to authenticate git with my github credentials
And When I run gh auth switch again
And I accept it
Then running git operations uses the token of the account I switched to

Note: The idea here is that we shouldn't prompt ssh configured users to authenticate git with their git credentials.