New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No support for authenticated proxies #10026
Comments
@byjrack Thank you for the issue and apology for the troubles. Please see a workaround here: The Let us know how it goes. |
So I am behind a proxy and currently gitconfig works well to clone using cli, but just not with Desktop. What is the logic for Desktop when it comes to electing a proxy and does it support the targeted option? |
@byjrack i'll let @niik give a high level summary for the proxy logic, but yes, it does support the target option you linked to there. i believe the error you are seeing in the log ( |
So can it handle requesting the credentials like the git client? Not sure I follow removing the thing that works either. What should be the result of removing the git config? I would assume it will just get no route because it wouldn't have a proxy config any longer? |
And to just confirm running git config --global --unset https.https://github.com.proxy didn't change the experience. It still seems that it was sourcing from env and not gitconfig as I could see "2020-06-17T16:45:17.977Z - info: [ui] proxy url not resolved, https_proxy already set" in the log. Still stuck at fatal: unable to access 'https://github.com/.../': Received HTTP code 407 from proxy after CONNECT |
Based on that error, I did spot one potential solution which would force git to send the credentials and authentication method to the proxy:
Source: https://git-scm.com/docs/git-config#git-config-httpproxyAuthMethod @niik for thoughts on this In the meantime, if you are interested in our setup and logic, I'd start with this pull request: #9154 |
Yup it is an authenticated proxy so I will need to send an auth so not sure that PR would cover my issue. We also use WPAD so looking at that PR could it be that Desktop is using the system config (doesn't allow for using keychain) and because it wasn't configured to handle the auth request it is just failing? I also have Slack going and it will prompt for creds on a 407 so it's not a limit in Electron itself. In any case (system, env, or gitconfig) unless Desktop can handle the 407 I will need to hardcode the secret in the proxyURL that desktop uses. |
And tracked down this page trying to set through the code which was pretty helpful. Reading that it seems like if the envvar is set than Desktop doesn't check w the OS. And in that case the envvar has to have the user:pass@proxy structure for an authd proxy or have some mechanism. Toying with my zshrc to see if I can make it work well ideally w/o a secret hard coded. Be nice if I could control the overridden credentialhelper as that could help with keychain access. |
This version of the macos image includes node v12: https://circle-macos-docs.s3.amazonaws.com/image-manifest/v1911/index.html
Hi @byjrack, sorry for taking so long to get back to you.
Yes, you're entirely correct, if we see
Correct, GitHub Desktop explicitly unsets the default credential helper for any network operation in order to coax Git to ask our ASKPASS helper through which we can then deliver the stored username and token from your authenticated session in GitHub Desktop. desktop/app/src/lib/git/core.ts Lines 403 to 408 in d6f7518
We don't unset the One thing that I don't understand here is how you were able to sign in to the app itself. I was under the (perhaps faulty) assumption that GitHub Desktop itself (or rather Electron) would fail to make requests when located behind an authenticating proxy. |
No worries this is low priority stuff. Can I assume the clone is always done with https (from the log it appears so) and not git://? I have a .insteadof in my gitconfig to handle that, but that was one of the questions I had when the API worked while the clone operation didn't. My proxy does cache auth for sessions so could be a timing issue mixed in. I follow using the secret from Desktop for the Hub endpoints, but that wouldn't work for my proxy. In my case if I have https.proxy I will get a prompt in my shell based around the HTTP/407 and it will be cached in keychain as well using the osxhelper. And my GitHub User ID password is different than the network identity used for the proxy so there would be two independent challenges assuming the Hub action was authenticated. Electron/GHD would need to detect the 407 and prompt for credentials. Now I am on 2.5.3-b2 for Desktop which targets electron 7.1.8 which looked to have electron/electron#21135 merged so electron itself I think should support the 407. The ask_pass looks to be specifically focused on a hub endpoint challenge as well so not sure that would cover a proxy auth need. Going to test out the URL'd credhelper and see if that can fix things. I need to stay off the browser though for a bit so that cached auth clears. |
I think we'd still need to subscribe to that event and fill in the proxy credentials which we currently don't do.
For GitHub.com I believe we respect your preference from the website so yes, as long as that's your default clone protocol we'll always use that. For GitHub Enterprise Server the administrator can override the default for all users.
You're right, it wouldn't, I was using it as an example to explain why we're unsetting the credential helper. |
Is there any way to up the log level especially with env and gitconfig data? I am trying to confirm if the URL'd helper is meeting the proxy auth need, but want to be sure Desktop has the config I expect it to. I just see the https_proxy already set event, but that's not super helpful. |
This comment has been minimized.
This comment has been minimized.
@byjrack I'm afraid the only thing I can think of would be opening the DevTools console and making sure you've got all levels enabled but I don't think we do much debug logging (which is the only category that doesn't get written to disk IIRC) in the proxy path. |
@byjrack I also tried to fix this issue with my colleagues in team This is my situation:
My solution:
@tierninho I have a question that my solution seems doesn't relate to the popup error message and log file content Hope this solution can help you |
Describe the bug
Desktop fails a clone with a HTTP/407
Version & OS
macOS 10.15.2
Tried GA and 2.5.3-beta1
Steps to reproduce the behavior
Expected behavior
Repo is cloned
Actual behavior
Error noting the 407 because it couldn't handle the authentication.
In the log I could see
2020-06-16T19:15:10.777Z - info: [ui] proxy url not resolved, https_proxy already set
Unclear if this is from gitconfig or envvar. Tried to make sure they were in sync, but always get the 407 even w user:pass@proxyurl in the envvar.
Additional context
Be nice to offer a fallback to use the git client as it handles the 407 with existing proxy statements in gitconfig including prompting for password via helper if needed. Rust's cargo has a flag (git-fetch-with-cli = true) to do this similar operation as the mix of configs, envvars, and system prefs can sometimes be challenging to figure out.
The text was updated successfully, but these errors were encountered: