Re: [PATCH] http.c: prompt for username on 403

public inbox for git@vger.kernel.org 
 help / color / mirror / Atom feed

From: "brian m. carlson" <sandals@crustytoothpaste•net>
To: Ashlesh Gawande <git@ashlesh•me>
Cc: git@vger•kernel.org, "Patrick Steinhardt" <ps@pks•im>,
	"Junio C Hamano" <gitster@pobox•com>,
	"Ævar Arnfjörð Bjarmason" <avarab@gmail•com>
Subject: Re: [PATCH] http.c: prompt for username on 403
Date: Tue, 14 Oct 2025 21:29:14 +0000	[thread overview]
Message-ID: <aO7Aqooz-0ppbcMP@fruit.crustytoothpaste.net> (raw)
In-Reply-To: <20251014144354.1457818-2-git@ashlesh.me>

[-- Attachment #1: Type: text/plain, Size: 3034 bytes --]

On 2025-10-14 at 14:43:52, Ashlesh Gawande wrote:
> Scenario:
> - There are a few pre-production systems that a lot of testers and
>   developers need to time share because of low availability
> - Devops generates a GitHub token with pull only access
>   and adds it to the netrc file on these systems
>   (Pull only as we don't want testers/others to be able to push)
> - Testers log in and do a git pull for the latest changes
>   (via netrc credentials - though testers may not be aware)
> - Developers login to debug issues and may make fixes to the test repo
> - Now when developers try to push their changes they receive:
>   fatal: unable to access 'https://github.com/<org>/<project>/':
>   The requested URL returned error: 403
> - The developer is not given the chance to supply an authorized token
>   and either needs to comment the netrc file or copy the changes over
>   to their own machine
> 
> Signed-off-by: Ashlesh Gawande <git@ashlesh•me>
> ---
>  http.c                     |  2 +-
>  t/lib-httpd.sh             |  9 +++++++++
>  t/lib-httpd/apache.conf    |  4 ++++
>  t/lib-httpd/passwd         |  1 +
>  t/t5550-http-fetch-dumb.sh | 24 ++++++++++++++++++++++++
>  5 files changed, 39 insertions(+), 1 deletion(-)
> 
> diff --git a/http.c b/http.c
> index 7e3af1e72f..18959f63b9 100644
> --- a/http.c
> +++ b/http.c
> @@ -1852,7 +1852,7 @@ static int handle_curl_result(struct slot_results *results)
>  		return HTTP_NOMATCHPUBLICKEY;
>  	} else if (missing_target(results))
>  		return HTTP_MISSING_TARGET;
> -	else if (results->http_code == 401) {
> +	else if (results->http_code == 401 || results->http_code == 403) {

I don't think this is a good idea.  Existing servers send a 401 when no
credentials are available and 403 if credentials are sent but are not
valid for a repository.  The former case causes credentials to be
erased, but the latter does not.

Your proposal will cause someone's credentials to be erased just because
they don't have access to a repository, which would be bad because it's
not that the credentials are invalid (that would be a 401) but that the
credentials are not usable for that repository or for that operation.

So if I attempt to push to https://github.com/git/git.git, then my
credentials will be erased even though there are no valid credentials
that could possibly grant me access to that repository (because I'm not
Junio).  Then _none_ of my pushes work because my token is gone.

I agree that it's inconvenient that netrc credential override other
credentials, but the proper thing to do would be to (a) not share
working trees among users (since Git's security model doesn't allow for
that), (b) not use netrc for this purpose and use a credential helper,
(c) add functionality to disable netrc via config, or (d) use an SSH
deploy key for automated systems with `GIT_SSH_COMMAND` and `ssh -i` and
have developers forward their SSH agent to push.
-- 
brian m. carlson (they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

next prev parent reply	other threads:[~2025-10-14 21:29 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-14 14:43 [PATCH] http.c: prompt for username on 403 Ashlesh Gawande
2025-10-14 21:29 ` brian m. carlson [this message]
2025-10-15 14:12   ` Ashlesh Gawande
2025-10-15 22:31     ` brian m. carlson
2025-12-09  8:22       ` Ashlesh Gawande
2025-12-10  2:05         ` brian m. carlson
2025-12-10 12:30           ` Ashlesh Gawande
2025-12-10 17:48             ` rsbecker
2025-12-10 22:28             ` brian m. carlson
2025-12-11  6:05               ` Ashlesh Gawande
2025-12-10 12:32           ` Ashlesh Gawande

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aO7Aqooz-0ppbcMP@fruit.crustytoothpaste.net \
    --to=sandals@crustytoothpaste$(echo .)net \
    --cc=avarab@gmail$(echo .)com \
    --cc=git@ashlesh$(echo .)me \
    --cc=git@vger$(echo .)kernel.org \
    --cc=gitster@pobox$(echo .)com \
    --cc=ps@pks$(echo .)im \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox