New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TokenAuth not working as expected #999

Closed
mccurdyc opened this Issue Oct 26, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@mccurdyc
Contributor

mccurdyc commented Oct 26, 2018

I expect the following to clone a private repository using a personal access token.

...
	r, err := git.PlainClone(<directory>, false, &git.CloneOptions{
		URL:               <url>,
		RecurseSubmodules: git.DefaultSubmoduleRecursionDepth,
		Auth: &http.TokenAuth{
			Token: <personal_access_token>,
		},
	})
...
git clone https://github.com/mccurdyc/private-repo simple --recursive
error: unexpected client error: unexpected requesting "https://github.com/user/private-repo/info/refs?service=git-upload-pack" status code: 400

It looks like GitHub should support it:
https://blog.github.com/2012-09-21-easier-builds-and-deployments-using-git-over-https-and-oauth/

git clone https://<personal_access_token>@github.com/user/private-repo.git

As a side note, looks like the following work:

curl -H 'Authorization: Bearer <personal_access_token>' https://api.github.com/user/repos?visibility=private
curl -H 'Authorization: token <personal_access_token>' https://api.github.com/user/repos?visibility=private

The current implementation of TokenAuth in go-git does something similar to 2, except would only work for GitHub's API and not for cloning.

@smola added some context to this previously here

Also, this goplayground example aligns with the GitHub post in that you would send the token as username.

Next, you can simply use an OAuth token for the username and either a blank password or the string x-oauth-basic when cloning a repository.

@smola

This comment has been minimized.

Member

smola commented Oct 26, 2018

It seems to me that this work as intended: GitHub accepts using personal access token with basic HTTP authentication (that is go-git's BasicAuth).

Most modern git hostings recommend using HTTP's basic user:pass authentication for OAuth2 tokens. However, this varies from host to host. GitHub uses <token>: or <token>:x-oauth-basic. Bitbucket uses x-token-auth:<token> (docs). GitLab uses oauth2:<token> (SO).

All of these use cases should be handled with go-git's BasicAuth, which does exactly what GitHub, Bitbucket or GitLab documentation recommend to do.

go-git's TokenAuth does not use basic HTTP auth, it works by adding an HTTP header (Authorization: Bearer <token>). See https://github.com/src-d/go-git/blob/master/plumbing/transport/http/common.go#L213
It seems at some point that was the way to go with Bitbucket, but not anymore. I don't think it's a good idea to create a new TokenAuth implementation that hardcodes all known git providers in order to decide what to do with OAuth2 tokens for each of them. Users should refer to their documentation and use BasicAuth.

I would recommended removing TokenAuth completely in go-git v5.

@mccurdyc

This comment has been minimized.

Contributor

mccurdyc commented Oct 26, 2018

@smola I think removing TokenAuth is a great idea unless there is an absolute need to keep it.

At least for me, it added much more confusion because I really didn't understand the use case, because like you said, providers such as GitHub, BitBucket and GitLab support basic HTTP auth.

You can close this issue if you want or leave it open for when this gets addressed in go-git v5.

@smola

This comment has been minimized.

Member

smola commented Oct 26, 2018

@mcuadros Should we update TokenAuth godoc to deprecate it and recommend BasicAuth? Then removing it in go-git v5...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment