8000 Use personal access tokens as password · Issue #3866 · gogs/gogs · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Use personal access tokens as password #3866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alexmace opened this issue Nov 7, 2016 · 8 comments · Fixed by #7198
Closed

Use personal access tokens as password #3866

alexmace opened this issue Nov 7, 2016 · 8 comments · Fixed by #7198
Labels
🔨 enhancement Make it better, faster 🔒 security Categorizes as related to security
Milestone
0.13.0

Comments

@alexmace
Copy link
alexmace commented Nov 7, 2016

GitHub allows the usage of personal access tokens as password (as per https://help.github.com/articles/which-remote-url-should-i-use/#cloning-with-https-urls-recommended)

It'd be great if Gogs could also allow this, so that I can give the token to an application I want to use, rather than my actual password.

Many thanks for the great software!
@bkcsoft
Copy link
Contributor
bkcsoft commented Nov 8, 2016

Gogs already has support for this. Is there an instance where it doesn't work?

@alexmace
Copy link
Author
alexmace commented Nov 9, 2016
edited
Loading

I don't believe it does, the only documentation I have only seen documentation that shows a personal access token being used as the username when accessing the repository via HTTP (e.g. http://token@git.server.com/username/repo.git)

I am looking to automatically store the details using the git osxkeychain credentials helper as part of a setup script on my Mac (based on a similar approach used with GitHub, as shown here: https://github.com/MikeMcQuaid/strap/blob/master/bin/strap.sh#L180)

However storing just the token as the username with no password does not seem to work - so I cannot use the existing support.

@unknwon
Copy link
Member
unknwon commented Feb 1, 2017

In Gogs, access token can be an alternative to combination of username+password.
8000

@unknwon unknwon added 🔨 enhancement Make it better, faster priority: maybe You know what, it sounds good labels Feb 1, 2017
@ahasbini
Copy link
ahasbini commented Nov 4, 2017

Is this also related to doing git actions (push/pull/clone) with access tokens?

I just tried creating a token, stored it in my config along with other credentials that I use on other services (GitHub, BitBucket), tried cloning a private repo and it gave the following error:
fatal: Authentication failed for 'https://try.gogs.io/ahasbini/TEST.git/'
Note that it didn't ask for username and password which is normal for me since I've manually inserted the token into the credentials.

Is there a temporary way to make this work?

@unknwon
Copy link
Member
unknwon commented Nov 14, 2017

@ahasbini I think you should be able to use token as "username" part, with empty password.

@vallon
Copy link
vallon commented Aug 4, 2018

I would reclassify this as a security issue.

Putting a secret token in the username field is contrary to good security practice. There are many places in the chain from git-to-gogs that might log the username (in plain text): http access logs (=> system logs, web activity logs), git itself (user is echoed at prompt).

The token should be passed via "Password" so that it is treated as a secret by all parties.

@unknwon unknwon added this to the 0.12 milestone Aug 16, 2018
@unknwon unknwon added 🔒 security Categorizes as related to security and removed priority: maybe You know what, it sounds good 🔒 security Categorizes as related to security labels Aug 16, 2018
@Ellpeck
Copy link
Ellpeck commented Sep 4, 2020

Why is this not classified as a security issue anymore?

Especially when two-factor authentication is enabled on an account, the username+password approach cannot be used at all when cloning a repository using http. This means that using the access token as the username is the only possibility in that instance.

Either way, thanks so much for all the hard work that you do on Gogs!

@unknwon unknwon added the 🔒 security Categorizes as related to security label Sep 4, 2020
@bmgxyz bmgxyz mentioned this issue Nov 17, 2020
Closed
@unknwon unknwon removed this from the Triaging priority milestone Mar 5, 2022
@jpedrot
Copy link
jpedrot commented Jun 4, 2022

Is it supposed to work with the token in the password now?
I am unable to get token as password to work.

OS X 12.4
osxkeychain
Gogs 12.8

Using the token in the username works, but I am unable to get it to work with the token as the password.
Should the username be blank or the actual username when using the token as a password?

@unknwon unknwon added this to the 0.13.0 milestone Jun 5, 2022
@ly4096x ly4096x mentioned this issue Oct 22, 2022
Merged
3 tasks
@unknwon unknwon moved this to QA / In Review in Gogs Roadmap Oct 22, 2022
Repository owner moved this from QA / In Review to Done in Gogs Roadmap Oct 22, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🔨 enhancement Make it better, faster 🔒 security Categorizes as related to security
Projects
No open projects
Gogs Roadmap
Status: Done
Milestone
0.13.0
7 participants
@alexmace @jpedrot @unknwon @vallon @bkcsoft @Ellpeck @ahasbini
0