Re: How to Verify the Git Credentials supplied by the User

[Deepak Patankar <patankardeepak04@gmail.com>]

Hey Junio,

Thanks a lot for the help.

On Mon, 12 Oct 2020 at 23:16, Junio C Hamano <gitster@pobox.com> wrote:
>
> Deepak Patankar <patankardeepak04@gmail.com> writes:
>
> > I am writing an application in which we will support git integration.
> > The user will provide us with his/her git credentials so that we can
> > push some files on his git. The git credentials which user will supply
> > can be
> >
> > HTTP (Username and Password/ Kerberos)
> > SSH
> >
> > Before saving the user credentials I want to validate that the
> > credentials entered is valid.
>
> It obviously depends on the remote side, but a relatively safe thing
> to try is to run things like "ls-remote" or "push --dry-run" that
> will not cause any actual damage against the remote, and see if your
> authentication fail.
>
> But you might be asking a XY question.  I would expect that any
> reasonable application that manages authentication material for the
> user and drives "git fetch" and "git push" would act as a credential
> helper and uses the credential protocol to talk to Git, so it will
> learn an authentication failure upon the first use, at which point
> it has the chance to drop the authentication material it obtained
> earlier and ask the user for the corrected one---there is no need
> for the application to see if the authentication material is correct
> before the user does anything else.
>

My previous email was confusing. I will be doing the authentication
check the way you described above
i.e. it will be done only once and I won't do it again and again
before each operation.


I can use the "ls-remote", "push --dry-run" command you suggested, but
I have a use case which I don't know how to solve.
The above commands require a repository. In our application, the user
can give the following details

Git Details:
   Account URL:  https://github.com/OpenPrinting
   UserName: deepakpatankar
   password: ***********

In this case, we don't know the repo name. At this step, I just know
the account and the credentials of the user, later on
the user will provide me with the repo name to which he wants to sync his file.

Since I don't know the repository, I cannot do "git fetch" or "git
push --dry-run". Can I check this credentials with some
logic or git commands?


Thanks
Deepak Patankar

On Tue, 13 Oct 2020 at 10:25, Deepak Patankar
<patankardeepak04@gmail.com> wrote:
>
> Hey Junio,
>
> Thanks a lot for the help.
>
> On Mon, 12 Oct 2020 at 23:16, Junio C Hamano <gitster@pobox.com> wrote:
> >
> > Deepak Patankar <patankardeepak04@gmail.com> writes:
> >
> > > I am writing an application in which we will support git integration.
> > > The user will provide us with his/her git credentials so that we can
> > > push some files on his git. The git credentials which user will supply
> > > can be
> > >
> > > HTTP (Username and Password/ Kerberos)
> > > SSH
> > >
> > > Before saving the user credentials I want to validate that the
> > > credentials entered is valid.
> >
> > It obviously depends on the remote side, but a relatively safe thing
> > to try is to run things like "ls-remote" or "push --dry-run" that
> > will not cause any actual damage against the remote, and see if your
> > authentication fail.
> >
> > But you might be asking a XY question.  I would expect that any
> > reasonable application that manages authentication material for the
> > user and drives "git fetch" and "git push" would act as a credential
> > helper and uses the credential protocol to talk to Git, so it will
> > learn an authentication failure upon the first use, at which point
> > it has the chance to drop the authentication material it obtained
> > earlier and ask the user for the corrected one---there is no need
> > for the application to see if the authentication material is correct
> > before the user does anything else.
> >
>
> My previous email was confusing. I will be doing the authentication
> check the way you described above
> i.e. it will be done only once and I won't do it again and again
> before each operation.
>
>
> I can use the "ls-remote", "push --dry-run" command you suggested, but
> I have a use case which I don't know how to solve.
> The above commands require a repository. In our application, the user
> can give the following details
>
> Git Details:
>    Account URL:  https://github.com/OpenPrinting
>    UserName: deepakpatankar
>    password: ***********
>
> In this case, we don't know the repo name. At this step, I just know
> the account and the credentials of the user, later on
> the user will provide me with the repo name to which he wants to sync his file.
>
> Since I don't know the repository, I cannot do "git fetch" or "git
> push --dry-run". Can I check this credentials with some
> logic or git commands?
>
>
> Thanks
> Deepak Patankar
>
>
>
> >
> > > The user might be using GithHub/BitBucket/GitLab. I am trying to find
> > > some git command which I can use to validate the credentials. Can you
> > > please point me to some command/logic which I can try?
> > >
> > > What I have tried?
> > > I tried git ls-remote command, but it requires the repo name/url. In
> > > one of our use case, the user won't specify the repository name
> > > beforehand. Because of which I am not able to use this command.
> >
> > This assumes there always is a single authentication material
> > regardless of the URL, which is probably not a good security posture
> > to encourage the users to adopt.