Release pr-git-1443/hickford/password-expiry-v4: credential: new attribute password_expiry_utc · gitgitgadget/git

pr-git-1443/hickford/password-expiry-v4
ae8bddb
Compare

Choose a tag to compare

View all tags

pr-git-1443/hickford/password-expiry-v4: credential: new attribute password_expiry_utc

pr-git-1443/hickford/password-expiry-v4
ae8bddb
Compare

Choose a tag to compare

View all tags

tagged this 18 Feb 06:32

From: M Hickford <mirth.hickford@gmail.com>

Some passwords have an expiry date known at generation. This may be
years away for a personal access token or hours for an OAuth access
token.

When multiple credential helpers are configured, `credential fill` tries
each helper in turn until it has a username and password, returning
early. If Git authentication succeeds, `credential approve`
stores the successful credential in all helpers. If authentication
fails, `credential reject` erases matching credentials in all helpers.
Helpers implement corresponding operations: get, store, erase.

The credential protocol has no expiry attribute, so helpers cannot
store expiry information. Even if a helper returned an improvised
expiry attribute, git credential discards unrecognised attributes
between operations and between helpers.

This is a particular issue when a storage helper and a
credential-generating helper are configured together:

	[credential]
		helper = storage  # eg. cache or osxkeychain
		helper = generate  # eg. oauth

`credential approve` stores the generated credential in both helpers
without expiry information. Later `credential fill` may return an
expired credential from storage. There is no workaround, no matter how
clever the second helper. The user sees authentication fail (a retry
will succeed).

Introduce a password expiry attribute. In `credential fill`, ignore
expired passwords and continue to query subsequent helpers.

In the example above, `credential fill` ignores the expired password
and a fresh credential is generated. If authentication succeeds,
`credential approve` replaces the expired password in storage.
If authentication fails, the expired credential is erased by
`credential reject`. It is unnecessary but harmless for storage
helpers to self prune expired credentials.

Add support for the new attribute to credential-cache.
Eventually, I hope to see support in other popular storage helpers.

Example usage in a credential-generating helper
https://github.com/hickford/git-credential-oauth/pull/16

Signed-off-by: M Hickford <mirth.hickford@gmail.com>

Submitted-As: https://lore.kernel.org/git/pull.1443.v4.git.git.1676701977347.gitgitgadget@gmail.com
In-Reply-To: https://lore.kernel.org/git/pull.1443.git.git.1674914650588.gitgitgadget@gmail.com
In-Reply-To: https://lore.kernel.org/git/pull.1443.v2.git.git.1675244392025.gitgitgadget@gmail.com
In-Reply-To: https://lore.kernel.org/git/pull.1443.v3.git.git.1675545372271.gitgitgadget@gmail.com

Assets 2

Source code (zip)

2023-02-18T06:32:57Z
Source code (tar.gz)

2023-02-18T06:32:57Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly