Expect personal access token in password field, not username field#6421
Closed
Expect personal access token in password field, not username field#6421
Conversation
Also, check to make sure that the username input matches the user associated with the token.
|
Great contribution, was trying configure my gogs server to let it behave like Github 2FA but it seems it's not a configuration issue but more an implementation issue. Is there any reason why is isn't in upstream yet, who are the maintainers of this project I see @unknwon is approving pull requests. |
unknwon
requested changes
Sep 3, 2021
Member
unknwon
left a comment
There was a problem hiding this comment.
Thanks for the PR!
This is a great improvement, but also introduces break changes, i.e. people are relying on passing access token via username field is now failing.
I think we should support passing access token in both fields for backward compatibility.
3 tasks
Member
|
Superseded by #7198. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3866
Users with 2FA enabled rely on personal access tokens to authenticate on the command line. Gogs supports this feature, but the implementation expects the user to enter their token in the username field and leave the password field blank. This is poor security because the token is meant to be a secret, but neither Git nor Gogs treat the contents of the username field as a secret.
This small change fixes this behavior by expecting the user to input their username in the username field and their personal access token in the password field. The authentication attempt only succeeds if both fields are correct. Note that this is the behavior on GitHub, as far as I can tell.
I'm quite new to Go, so I welcome any edits or suggestions.