Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow gh auth git-credential get to get a token for non-active user #9111

Open
emiksk opened this issue May 22, 2024 · 2 comments
Open

Allow gh auth git-credential get to get a token for non-active user #9111

emiksk opened this issue May 22, 2024 · 2 comments
Labels
enhancement a request to improve CLI gh-auth relating to the gh auth command needs-user-input

Comments

@emiksk
Copy link

emiksk commented May 22, 2024

Describe the feature or problem you’d like to solve

Currently gh auth git-credential get can get a token for only active account in specified host.

e.g.

$ gh auth status
github.com
  ✓ Logged in to github.com account emiksk (keyring)
  - Active account: true
  - Git operations protocol: https
  - Token: gho_************************************
  - Token scopes: 'gist', 'read:org', 'repo', 'workflow'

  ✓ Logged in to github.com account non-emiksk (keyring)
  - Active account: false
  - Git operations protocol: https
  - Token: gho_************************************
  - Token scopes: 'gist', 'read:org', 'repo', 'workflow'

$ gh auth git-credential get
protocol=https
host=github.com

protocol=https
host=github.com
username=emiksk
password=gho_************************************

$ gh auth git-credential get
protocol=https
host=github.com
username=non-emiksk


$

I think that gh auth git-credential get should be able to get a token regardless of whether user is active or not if the specific username is given.

Proposed solution

This enhancement will allow developers to control credentials by remote url (such as https://emiksk@github.com/org/repo and https://non-emiksk@github.com/org/repo) instead of using gh auth switch.

Additional context

This behavior is caused by using ActiveToken() method in helper.go even if a username is given.
It would be better to use the TokenForUser() method when username is given, as in token.go.

However, TokenForUser() method ignores environment variables such as GITHUB_TOKEN unlike ActiveToken() method.

cli/internal/config/config.go

Lines 448 to 458 in 140edf7

func (c *AuthConfig) TokenForUser(hostname, user string) (string, string, error) {
if token, err := keyring.Get(keyringServiceName(hostname), user); err == nil {
return token, "keyring", nil
}
if token, err := c.cfg.Get([]string{hostsKey, hostname, usersKey, user, oauthTokenKey}); err == nil {
return token, "oauth_token", nil
}
return "", "default", fmt.Errorf("no token found for '%s'", user)
}

cli/internal/config/config.go

Line 203 in 140edf7

token, source := ghAuth.TokenFromEnvOrConfig(hostname)

Therefore, if the logic of token.go and helper.go are simply made common, a behavior is changed when an environment variable exists and username is explicitly given.
Since this behavior also exists in the test case, it needs to consider whether the behavior should be changed or whether different logic should be implemented instead of sharing the same logic.
@emiksk emiksk added the enhancement a request to improve CLI label May 22, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label May 22, 2024
@williammartin
Copy link
Member

Ahhh yes thank you for this excellent write up and investigation! This is something that we discussed and decided to leave out of the original multi-account MVP to keep the scope small. I'm glad you opened this because a similar thing was mentioned over here: #8875 (comment)

Can you talk a little bit more about how you would like to use this with regards remote URLs? Do you clone and configure your repositories outside of gh using git directly? Would it be interesting if we found a way in gh to make this kind of thing configurable as well? For example, perhaps we could offer configuration of remotes with a username during repo clone, repo fork etc. I'm not sure exactly what this would look like, but I think it's worth thinking holistically about the issue.

@williammartin williammartin added needs-user-input gh-auth relating to the gh auth command and removed needs-triage needs to be reviewed labels May 22, 2024
@emiksk
Copy link
Author

emiksk commented May 23, 2024
edited

@williammartin
Thank you for your reply!

For example, perhaps we could offer configuration of remotes with a username during repo clone, repo fork etc.

It’s the interesting feature. I didn’t have thought of it, yet I might use it if it’s offered.

Imagining myself using remote URLs to switch credentials, I would probably use a combination of includeIf and insteadOf in gitconfig to automatically switch remote URLs according to working directories.

For example, adding the following includeIf to gitconfig:

[includeIf "/path/to/repositories_for_emiksk]
  path = /path/to/gitconfig_for_emiksk

Then, adding the following insteadOf to /path/to/gitconfig_for_emiksk, remote URLs will automatically be changed to https://emiksk@github.com from https://github.com when I work in the git directory.

[url "https://emiksk@github.com"]
  insteadOf = https://github.com

I believe this is a nice way to automatically switch credentials for accounts for each directory.
Of course, there may be times when I want to switch between multiple credentials in one git directory.

It's the poor English writing, but I hope you get the message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement a request to improve CLI gh-auth relating to the gh auth command needs-user-input
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@williammartin @emiksk @cliAutomation