pr-git-1443/hickford/password-expiry-v2
tagged this
01 Feb 09:39
From: M Hickford <mirth.hickford@gmail.com> Some passwords have an expiry date known at generation. This may be years away for a personal access token or hours for an OAuth access token. Currently the credential protocol has no expiry attribute. When multiple helpers are configured, `credential fill` tries each helper in turn until it has a username and password, returning early. When a storage helper and a credential-generating helper are configured together, the credential is necessarily stored without expiry, so `credential fill` may later return an expired credential from storage. ``` [credential] helper = storage # eg. cache or osxkeychain helper = generate # eg. oauth ``` An improvement is to introduce a password expiry attribute to the credential protocol. If the expiry date has passed, `credential fill` ignores the password attribute, so subsequent helpers can generate a fresh credential. This is backwards compatible -- no change in behaviour with helpers that discard the expiry attribute. Note that the expiry logic is entirely within the credential layer. Compatible helpers store and retrieve the new attribute like any other. This keeps the helper contract simple. This patch adds support for the new attribute to cache. Example usage in a credential-generating helper https://github.com/hickford/git-credential-oauth/pull/16 Future ideas: make it possible for a storage helper to provide OAuth refresh token to subsequent helpers. https://github.com/gitgitgadget/git/pull/1394 Signed-off-by: M Hickford <mirth.hickford@gmail.com> Submitted-As: https://lore.kernel.org/git/pull.1443.v2.git.git.1675244392025.gitgitgadget@gmail.com In-Reply-To: https://lore.kernel.org/git/pull.1443.git.git.1674914650588.gitgitgadget@gmail.com
Assets 2
-
2023-02-01T09:39:52Z -
2023-02-01T09:39:52Z -