]> git.ipfire.org Git - thirdparty/git.git/commit - credential.c
projects / thirdparty / git.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 23c56f7) | patch
credential: new attribute password_expiry_utc
authorM Hickford <mirth.hickford@gmail.com>
Sat, 18 Feb 2023 06:32:57 +0000 (06:32 +0000)
committerJunio C Hamano <gitster@pobox.com>
Wed, 22 Feb 2023 23:18:58 +0000 (15:18 -0800)
commitd208bfdfef97a1e8fb746763b5057e0ad91e283b
tree045bc1b816c80266e1fe7be0146aafb88a716824tree | snapshot
parent23c56f7bd5f1667f8b793d796bf30e39545920f6commit | diff
credential: new attribute password_expiry_utc

Some passwords have an expiry date known at generation. This may be
years away for a personal access token or hours for an OAuth access
token.

When multiple credential helpers are configured, `credential fill` tries
each helper in turn until it has a username and password, returning
early. If Git authentication succeeds, `credential approve`
stores the successful credential in all helpers. If authentication
fails, `credential reject` erases matching credentials in all helpers.
Helpers implement corresponding operations: get, store, erase.

The credential protocol has no expiry attribute, so helpers cannot
store expiry information. Even if a helper returned an improvised
expiry attribute, git credential discards unrecognised attributes
between operations and between helpers.

This is a particular issue when a storage helper and a
credential-generating helper are configured together:

[credential]
helper = storage  # eg. cache or osxkeychain
helper = generate  # eg. oauth

`credential approve` stores the generated credential in both helpers
without expiry information. Later `credential fill` may return an
expired credential from storage. There is no workaround, no matter how
clever the second helper. The user sees authentication fail (a retry
will succeed).

Introduce a password expiry attribute. In `credential fill`, ignore
expired passwords and continue to query subsequent helpers.

In the example above, `credential fill` ignores the expired password
and a fresh credential is generated. If authentication succeeds,
`credential approve` replaces the expired password in storage.
If authentication fails, the expired credential is erased by
`credential reject`. It is unnecessary but harmless for storage
helpers to self prune expired credentials.

Add support for the new attribute to credential-cache.
Eventually, I hope to see support in other popular storage helpers.

Example usage in a credential-generating helper
https://github.com/hickford/git-credential-oauth/pull/16

Signed-off-by: M Hickford <mirth.hickford@gmail.com>
Reviewed-by: Calvin Wan <calvinwan@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Documentation/git-credential.txt diff | blob | blame | history
Documentation/gitcredentials.txt diff | blob | blame | history
builtin/credential-cache--daemon.c diff | blob | blame | history
credential.c diff | blob | blame | history
credential.h diff | blob | blame | history
t/t0300-credentials.sh diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.