Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow storing credentials globally when 'local' auth.json file exists #11188

Merged
merged 1 commit into from
Dec 16, 2022
Merged

Allow storing credentials globally when 'local' auth.json file exists #11188

merged 1 commit into from
Dec 16, 2022

Conversation

PrinsFrank
Copy link
Contributor

@PrinsFrank PrinsFrank commented Nov 16, 2022

When in interactive mode with missing credentials, the credentials are always stored in the local auth.json file if it exists, even though credentials in the auth.json might be shared through git and the user wants to store their credentials in their global auth.json:

Your GitHub credentials are required to fetch private repository metadata (https://github.com/vendor/package)
When working with _public_ GitHub repositories only, head to https://github.com/settings/tokens/new?scopes=&description=MachineName+TIMESTAMP to retrieve a token.
This token will have read-only permission for public information only.
When you need to access _private_ GitHub repositories as well, go to https://github.com/settings/tokens/new?scopes=repo&description=MachineName+TIMESTAMP
Note that such tokens have broad read/write permissions on your behalf, even if not needed by Composer.
Tokens will be stored in plain text in "~/user/.composer/auth.json" for future use by Composer.
For additional information, check https://getcomposer.org/doc/articles/authentication-for-private-packages.md#github-oauth
Token (hidden): 

This PR adds the ability to choose where to store this newly acquired token when such a local auth.json file exists before prompting for the token:

Your GitHub credentials are required to fetch private repository metadata (https://github.com/vendor/package)
When working with _public_ GitHub repositories only, head to https://github.com/settings/tokens/new?scopes=&description=MachineName+TIMESTAMP to retrieve a token.
This token will have read-only permission for public information only.
When you need to access _private_ GitHub repositories as well, go to https://github.com/settings/tokens/new?scopes=repo&description=MachineName+TIMESTAMP
Note that such tokens have broad read/write permissions on your behalf, even if not needed by Composer.
-Tokens will be stored in plain text in "~/user/.composer/auth.json" for future use by Composer.
+Tokens will be stored in plain text in "~/user/.composer/auth.json" OR "~/user/project/auth.json" for future use by Composer.
For additional information, check https://getcomposer.org/doc/articles/authentication-for-private-packages.md#github-oauth
-Token (hidden): 
+ A local auth config source was found, do you want to store the token there? [y]:

Also, in the Github and BitBucket authentication, existing keys were incorrectly removed from the composer.json file instead of the auth.json file. Those issues are also fixed in this PR.

$this->io->writeError('Ensure you enter a "Callback URL" (http://example.com is fine) or it will not be possible to create an Access Token (this callback url will not be used by composer)');

$storeInLocalAuthConfig = false;
if ($localAuthConfig !== null) {
$storeInLocalAuthConfig = $this->io->askConfirmation('A local auth config source was found, do you want to store the token there?', false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering it was previously always writing to the local one, I think the default here should be true to ensure BC if non-interactive. Same for GitHub/GitLab.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The initial reason I added this PR was because we have a license key for a private satis server distributed in an auth.json file, but when developers get rate limited on the github api for example their oauth key gets added to the auth.json file and may now accidentally be comitted. Adding false as a default makes sense here IMHO, as it has to be a consious descision to add credentials to vcs.

I do see your point though, as the auth.json file might not be in vcs for all Composer users. I've updated the default to false.

@Seldaek Seldaek added this to the 2.5 milestone Nov 30, 2022
@Seldaek Seldaek merged commit b1f3f8b into composer:main Dec 16, 2022
@Seldaek
Copy link
Member

Seldaek commented Dec 16, 2022

Thanks!

@PrinsFrank PrinsFrank deleted the allow-storing-credentials-globally-when-local-file-exists branch December 16, 2022 14:14
emahorvat52 pushed a commit to emahorvat52/composer that referenced this pull request Feb 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants