How to Verify the Git Credentials supplied by the User

How to Verify the Git Credentials supplied by the User

[Deepak Patankar]

Hello!!

I am writing an application in which we will support git integration.
The user will provide us with his/her git credentials so that we can
push some files on his git. The git credentials which user will supply
can be

HTTP (Username and Password/ Kerberos)
SSH

Before saving the user credentials I want to validate that the
credentials entered is valid.

The user might be using GithHub/BitBucket/GitLab. I am trying to find
some git command which I can use to validate the credentials. Can you
please point me to some command/logic which I can try?

What I have tried?
I tried git ls-remote command, but it requires the repo name/url. In
one of our use case, the user won't specify the repository name
beforehand. Because of which I am not able to use this command.


Thanks
Deepak Patankar

Re: How to Verify the Git Credentials supplied by the User

[Junio C Hamano]

Deepak Patankar <patankardeepak04@gmail.com> writes:

> I am writing an application in which we will support git integration.
> The user will provide us with his/her git credentials so that we can
> push some files on his git. The git credentials which user will supply
> can be
>
> HTTP (Username and Password/ Kerberos)
> SSH
>
> Before saving the user credentials I want to validate that the
> credentials entered is valid.

It obviously depends on the remote side, but a relatively safe thing
to try is to run things like "ls-remote" or "push --dry-run" that
will not cause any actual damage against the remote, and see if your
authentication fail.

But you might be asking a XY question.  I would expect that any
reasonable application that manages authentication material for the
user and drives "git fetch" and "git push" would act as a credential
helper and uses the credential protocol to talk to Git, so it will
learn an authentication failure upon the first use, at which point
it has the chance to drop the authentication material it obtained
earlier and ask the user for the corrected one---there is no need
for the application to see if the authentication material is correct
before the user does anything else.


> The user might be using GithHub/BitBucket/GitLab. I am trying to find
> some git command which I can use to validate the credentials. Can you
> please point me to some command/logic which I can try?
>
> What I have tried?
> I tried git ls-remote command, but it requires the repo name/url. In
> one of our use case, the user won't specify the repository name
> beforehand. Because of which I am not able to use this command.

This assumes there always is a single authentication material
regardless of the URL, which is probably not a good security posture
to encourage the users to adopt.

Re: How to Verify the Git Credentials supplied by the User

[Deepak Patankar]

Hey Junio,

Thanks a lot for the help.

On Mon, 12 Oct 2020 at 23:16, Junio C Hamano <gitster@pobox.com> wrote:
>
> Deepak Patankar <patankardeepak04@gmail.com> writes:
>
> > I am writing an application in which we will support git integration.
> > The user will provide us with his/her git credentials so that we can
> > push some files on his git. The git credentials which user will supply
> > can be
> >
> > HTTP (Username and Password/ Kerberos)
> > SSH
> >
> > Before saving the user credentials I want to validate that the
> > credentials entered is valid.
>
> It obviously depends on the remote side, but a relatively safe thing
> to try is to run things like "ls-remote" or "push --dry-run" that
> will not cause any actual damage against the remote, and see if your
> authentication fail.
>
> But you might be asking a XY question.  I would expect that any
> reasonable application that manages authentication material for the
> user and drives "git fetch" and "git push" would act as a credential
> helper and uses the credential protocol to talk to Git, so it will
> learn an authentication failure upon the first use, at which point
> it has the chance to drop the authentication material it obtained
> earlier and ask the user for the corrected one---there is no need
> for the application to see if the authentication material is correct
> before the user does anything else.
>

My previous email was confusing. I will be doing the authentication
check the way you described above
i.e. it will be done only once and I won't do it again and again
before each operation.


I can use the "ls-remote", "push --dry-run" command you suggested, but
I have a use case which I don't know how to solve.
The above commands require a repository. In our application, the user
can give the following details

Git Details:
   Account URL:  https://github.com/OpenPrinting
   UserName: deepakpatankar
   password: ***********

In this case, we don't know the repo name. At this step, I just know
the account and the credentials of the user, later on
the user will provide me with the repo name to which he wants to sync his file.

Since I don't know the repository, I cannot do "git fetch" or "git
push --dry-run". Can I check this credentials with some
logic or git commands?


Thanks
Deepak Patankar

On Tue, 13 Oct 2020 at 10:25, Deepak Patankar
<patankardeepak04@gmail.com> wrote:
>
> Hey Junio,
>
> Thanks a lot for the help.
>
> On Mon, 12 Oct 2020 at 23:16, Junio C Hamano <gitster@pobox.com> wrote:
> >
> > Deepak Patankar <patankardeepak04@gmail.com> writes:
> >
> > > I am writing an application in which we will support git integration.
> > > The user will provide us with his/her git credentials so that we can
> > > push some files on his git. The git credentials which user will supply
> > > can be
> > >
> > > HTTP (Username and Password/ Kerberos)
> > > SSH
> > >
> > > Before saving the user credentials I want to validate that the
> > > credentials entered is valid.
> >
> > It obviously depends on the remote side, but a relatively safe thing
> > to try is to run things like "ls-remote" or "push --dry-run" that
> > will not cause any actual damage against the remote, and see if your
> > authentication fail.
> >
> > But you might be asking a XY question.  I would expect that any
> > reasonable application that manages authentication material for the
> > user and drives "git fetch" and "git push" would act as a credential
> > helper and uses the credential protocol to talk to Git, so it will
> > learn an authentication failure upon the first use, at which point
> > it has the chance to drop the authentication material it obtained
> > earlier and ask the user for the corrected one---there is no need
> > for the application to see if the authentication material is correct
> > before the user does anything else.
> >
>
> My previous email was confusing. I will be doing the authentication
> check the way you described above
> i.e. it will be done only once and I won't do it again and again
> before each operation.
>
>
> I can use the "ls-remote", "push --dry-run" command you suggested, but
> I have a use case which I don't know how to solve.
> The above commands require a repository. In our application, the user
> can give the following details
>
> Git Details:
>    Account URL:  https://github.com/OpenPrinting
>    UserName: deepakpatankar
>    password: ***********
>
> In this case, we don't know the repo name. At this step, I just know
> the account and the credentials of the user, later on
> the user will provide me with the repo name to which he wants to sync his file.
>
> Since I don't know the repository, I cannot do "git fetch" or "git
> push --dry-run". Can I check this credentials with some
> logic or git commands?
>
>
> Thanks
> Deepak Patankar
>
>
>
> >
> > > The user might be using GithHub/BitBucket/GitLab. I am trying to find
> > > some git command which I can use to validate the credentials. Can you
> > > please point me to some command/logic which I can try?
> > >
> > > What I have tried?
> > > I tried git ls-remote command, but it requires the repo name/url. In
> > > one of our use case, the user won't specify the repository name
> > > beforehand. Because of which I am not able to use this command.
> >
> > This assumes there always is a single authentication material
> > regardless of the URL, which is probably not a good security posture
> > to encourage the users to adopt.

Re: How to Verify the Git Credentials supplied by the User

[Junio C Hamano]

Deepak Patankar <patankardeepak04@gmail.com> writes:

> I can use the "ls-remote", "push --dry-run" command you suggested, but
> I have a use case which I don't know how to solve.
> The above commands require a repository. In our application, the user
> can give the following details
>
> Git Details:
>    Account URL:  https://github.com/OpenPrinting
>    UserName: deepakpatankar
>    password: ***********
>
> In this case, we don't know the repo name. At this step, I just know
> the account and the credentials of the user, later on
> the user will provide me with the repo name to which he wants to sync his file.
>
> Since I don't know the repository, I cannot do "git fetch" or "git
> push --dry-run". Can I check this credentials with some
> logic or git commands?

You'd have to go outside Git, as our transport layer is only about
talking with existing repositories.  You cannot even create a new 
repository using Git native methods.

You may need to find a method that works with GitHub account (note
that I am not even using the word repository here, instead saying
"account") and such a method would likely have to involve GitHub
specific API, but it probably would not work with other hosting
providers.

I also would imagine that even at GitHub, one may want to use
different authentication info depending on which repository one
accesses, so the "there is a single User with a password at this
hosting site" data model might turn out to be insufficient, but
that is outside the scope of Git proper.