Cannot choose from multiple credentials

[riedel]

printf "url=https://github.com\nusername=riedel@teco.edu" | git credential fill
May 30 10:00:53.164 INFO Sending change-public-keys request
May 30 10:00:53.166 INFO Sending test-associate request
May 30 10:00:53.169 INFO Successfully authenticated against 1 database(s)
May 30 10:00:53.170 INFO Sending get-logins request
May 30 10:00:56.096 INFO KeePassXC return 2 login(s)
May 30 10:00:56.097 WARN More than 1 matching logins found, only the first one will be returned

[Frederick888]

I tried to ask for a choice from stdin but Git doesn't seem to allow passing user input onto helpers after it's done feeding its own request. Perhaps this is not feasible atm.

[JJRcop]

Someday soon this may become a real problem:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/

[Frederick888]

@JJRcop May I know why the KPH solution doesn't work for you?

This can be potentially solved by having a pop-up UI (like pinentry), but I'm not particularly motivated to do it since it'll pull in quite a few dependencies only to solve some fringe cases imo.

[JJRcop]

@JJRcop May I know why the KPH solution doesn't work for you?

Please forgive me for missing this, it works great. The application may consider notifying when there are multiple matching entries and link to this information.

[Frederick888]

@JJRcop Enable verbose logging -vv.

git-credential-keepassxc/src/main.rs

Lines 548 to 558 in e131992

	if !login_entries_name_matches.is_empty() {
	info!(
	"{} login(s) left after filtering by username",
	login_entries_name_matches.len()
	);
	login_entries = login_entries_name_matches;
	}
	}
	if login_entries.len() > 1 {
	warn!("More than 1 matching logins found, only the first one will be returned");
	}

In terms of the desktop notifications I'd like to keep them minimal. It might be nice to see this message via notification for the first time, but over the time it just becomes annoying imo. Notifications are limited to critical events and those require user intervention for now. If we had too many, a filter would be needed, which is another rabbit hole I don't want to go down into.

[atagen]

hi, I've tried the KPH solution linked above and GCK seems to still be requesting access to the marked entries.

I have followed the instructions exactly (KPH field return enabled in browser options, "KPH: git" field with "false" value on the relevant entry).

any advice?

edit: will followup with edit since it's not worth another comment - keepassxc, when not set to "remember" your login for github, will still prompt using all logins, but GCK will filter them after. in retrospect this should be obvious..

[Frederick888]

@atagen I'd suggest you use -vv to enable info & warning logs first. If it doesn't help, try a debug build with -vvv. Instructions can be found at https://github.com/Frederick888/git-credential-keepassxc/wiki/Troubleshooting

[stdedos]

Would you consider returning the Title (or any unique identifier) of the entries in -vv instead? 😕

For the (modified) example of https://github.com/keepassxreboot/keepassxc-browser/blob/develop/keepassxc-protocol.md#get-logins:

$ cat > ~/a.json <<"EOF"
{
    "action": "get-logins",
    "url": "<snip>",
    "submitUrl": "<optional>",
    "httpAuth": "<optional>",
    "keys": [
        {
            "id": "<saved database identifier received from associate>",
            "key": "<saved identification public key>"
        },
        {
            "id": "<another saved database identifier received from associate>",
            "key": "<saved identification public key>"
        }
    ]
}

EOF
$ jq '.keys[] | .id' ~/a.json 
"<saved database identifier received from associate>"
"<another saved database identifier received from associate>"
$