aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/docs
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2021-03-29 15:27:45 +0300
committerEgor Tensin <Egor.Tensin@gmail.com>2021-03-29 15:27:45 +0300
commit7bf6935a9a83e3ad1ca0c6360ea53420760d5b97 (patch)
tree79c77ec3cb3afc704f2366d8e1962dc3b9556009 /docs
parentdon't expose access tokens in the clone URL (diff)
downloadcgitize-7bf6935a9a83e3ad1ca0c6360ea53420760d5b97.tar.gz
cgitize-7bf6935a9a83e3ad1ca0c6360ea53420760d5b97.zip
docs/auth.md: update
Diffstat (limited to 'docs')
-rw-r--r--docs/auth.md25
1 files changed, 23 insertions, 2 deletions
diff --git a/docs/auth.md b/docs/auth.md
index 3b64fd9..4eabcd5 100644
--- a/docs/auth.md
+++ b/docs/auth.md
@@ -25,5 +25,26 @@ When using HTTPS, there're multiple options to access the private repositories.
3. Use per-application passwords. This option is pretty cool. Both GitHub (in
the form of "personal access tokens") and Bitbucket (calls them "app
passwords") support creating one-purpose passwords that are supposed to be
- used by a single app only. They allow to bypass the 2FA also. cgitize will
- support this option.
+ used by a single app only. They allow to bypass the 2FA also. Let's do
+ this!
+
+Passing the access tokens to Git is tricky though. First, simply including
+them in the clone URL would be incredibly stupid, since that URL is going to be
+visible on the cgit web pages. There's an option to use the Git
+`credentials.helper`, but I thought that it was quite hard to get right in a
+cross-platform way.
+
+Now, there's `url.<url>.insteadOf`. It can be used to make Git rewrite every
+URL to include the access token.
+
+* I don't want to set it permanently to avoid leaking the access token.
+* I don't want to set it in the repository's `--local` .git/config, since it is
+ probably readable by other users.
+* I don't want to ever use it on the command line to avoid leaking it.
+
+Eventually, the option I settled on is to
+
+1. `chmod 0600 ~/.gitconfig`.
+2. Append the section to ~/.gitconfig from Python (_not_ by using `git
+ config`).
+3. Undo everything once we're done.