Dedicated command for authentication & configuration

[stuartpb]

All I really use hub for is pulling down my own repos. As a result, I've never been prompted for my username/password to connect to the API, so I'm always prompted for my username. I'd appreciate some way to just trigger the configuration by itself.

[mislav]

This is unfortunate. What I need to do is save your username so you don't have to keep re-entering it. I don't think we need a specific command to configure your account.

[stuartpb]

It's not an outlandish idea. Git has git config - maybe just extend that a bit?

Mislav Marohnić notifications@github.com wrote:

This is unfortunate. What I need to do is save your username so you don't have to keep re-entering it. I don't think we need a specific command to configure your account.

---

Reply to this email directly or view it on GitHub:
#225 (comment)

[shvelo]

DO IT ALREADY dammit

[mislav]

You can drop something like this in ~/.config/hub:

---
github.com:
- user: mislav

[shvelo]

Thanks

[TheNotary]

sheesh, can we have a little more love in our comments please?

Anyway, I think explicit user config is a good idea. I have two github accounts because I did lots of tutorials teaching how git and github works. Now I have a tutorial github account + a kewl code github account. I'd like to be able to pick which github account Hub is working with:

$  hub user
==> [n-jax]
     name = TheNotary
     email = no@mail.plz
  [thisismygit]
     name = thisismygit
     email = plzdontsendmail@me.com

And I'd like to be able to change it on the fly:

$ hub user thisismygit
User set to [thisismygit]

For now I'm just deleting the ~/.config/hub file over and over, but that's hackish. Maybe it could be pulling up which user is active from git config --global or w/e the command is. Is the author still pulling in code? Looks like he's been out a couple months.

[kamalmarhubi]

Is there anything approaching a spec for this feature? I may be willing to implement browser-based authentication (#889). Ideally I'd do it in a way that didn't require big rework when this auth command eventually gets worked on.

[mislav]

I think we want the command to be called hub auth and have several subcomands, like login, whoami and possibly config to see per-host hub configuration.

By default you will be authenticating with github.com but you could specify your Enterprise instance with --site git.company.com or http://git.mycompany.com if the Enterprise instance is to be communicated with over HTTP.

When implementing browser-based authentication, how do you plan to deal with the following problems:

1. For browser-based authentication, hub needs to be registered as an OAuth app. How will we embed securely our own OAuth client tokens in the binary?
2. An OAuth app needs to be registered will a callback URL. I presume you want a callback URL such as http://localhost:<port>. However, that means that we have to depend on whatever <port> we choose to be available on localhost.
3. People need to be able to authenticate to Enterprise instances. An OAuth app that we register with github.com (presumably) won't be known to the Enterprise instance because it won't be in its own database. How do you plan to compensate for that?

[kamalmarhubi]

Responded to @mislav's questions about authorization at #889 (comment)

[vitorgalvao]

I’m also interested in this. I don’t want to configure hub when I need it to work and it stops because it asks for information, that’s akin to game consoles always prompting for updates when you turn them on (i.e. when you want to play).

What I want is to configure hub when I’m setting up my machine and configuring everything else as well. That way, the first time I really need it, it’ll just work.

In addition, I have a script other people use that I’m using hub to allow more features. I want to be able to tell people how to configure hub beforehand, so they’re not stopped halfway through the script.

[brntbeer]

@mislav just ran into the problem mentioned back in #899. deleting ~/.config/hub worked, but "bad credentials" seems like it could be expanded.

As a short term fix, before something like hub auth comes along, what if we also returned saying "Double check your OAuth token in ~/.config/hub is correct. You may need to delete it and try the command again to re-authenticate"

[greg-1-anderson]

It would be great if hub auth (or equivalent) could also work with personal access tokens -- or if hub could continue to support environment variable based authentication. When using hub in Continuous Integration, the most convenient way to authenticate is by setting an environment variable through your CI server's web interface. Adding something like hub auth $GITHUB_TOKEN (or whatever) is nicer than having to write a ~/.config/hub file on every run.

[mislav]

@greg-1-anderson For sure; hub won't change the way it handles GITHUB_TOKEN. It's still the preferred way for scripts. But for interactive use, it will be easier to set up a ~/.config/hub file once using a dedicated command, especially for GHE users that might need to copy/paste a token they generated (something that can only be set up manually right now).

[travi]

Other tools use github.user from gitconfig. Could hub either use that directly, or automatically use it, when present, to set user in ~/.config/hub?

[mislav]

@travi That post was from 2008. I'm not sure how many tools used right now honor this information in gitconfig. I discourage putting tokens in gitconfig in general since they could be accidentally leaked if you decide to version your dotiles and put them online.

[travi]

yeah, i don't actually use any of those tools, but do have that value set in my ~/.gitconfig for any that might. i do version my dotfiles, so i certainly dont keep tokens or other sensitive stuff there. i just thought it might be a source that hub could grab someone's github username without needing to prompt for it when setting up the ~/.config/hub file.

[samtstern]

I visit you from the year 2018!

In order to make some progress on this very old issue, I would be happy to submit a PR for hub auth login, a subset of all the above discussions (I don't know anything about GitHub Enterprise).

Here's what I propose it would do:

• Prompt for username, password, and two-factor auth if necessary
• Store that at ~/.config/hub

It's basically the same flow that happens if I run, say, hub issue on a clean machine for the first time.

I am trying to get my team to use hub and integrate it into some of our scripts/playbooks but I need to be able to ensure that they're all authenticated before running any complex scripts.

[mislav]

@samtstern Contributions very welcome! The auth login command could also accept the hostname in case someone wants to log into an Enterprise instance. Optionally, a http:// scheme could also be provided since some people don't host under HTTPS Enterprise.

Example:

$ hub auth login # logs you in github.com
$ hub auth login http://git.my.org

This command should also exit with a success status if current credentials exist and are valid, or warn and re-do the authentication process if the current credentials are invalid.

[brntbeer]

@samtstern @mislav one thing that could be useful, is on first successful signin to github enterprise, write to ~/.config/hub and save the GHE configuration

github.com:
- user: brntbeer
  oauth_token: xxxxxxxxxxxsssssssxxxxcdfdrttrertyhjk
  protocol: https
github_enterprise:
- host: octodemo.com
  user: brntbeer
  oauth_token: 111234567rewwerjhgfdetcetc
  protocol: https

the reason why you may want more than one -host in the github_enterprise section is for people who have more than one github enterprise instance (staging or explicitly allowed otherwise by support)

Edit: of course, do the easiest thing first, which is exclude GHE from this setting 😉

[mislav]

@brntbeer More than one Enterprise host is already supported in the config file in this format:

octodemo.com:
- user: brntbeer
  oauth_token: TOKEN1
  protocol: https
git.myorg.com:
- user: beerbrent
  oauth_token: TOKEN2
  protocol: http

I suppose what the new auth command could do better is to improve the flow of pre-configuring an Enterprise host with an already generated Personal Access Token (this is to support web authentication flows where username/password combo is not allowed) so that the person never has to edit their ~/.config/hub directly.

[brntbeer]

😞 dohh, you're right @mislav ❤️