From 7bf6935a9a83e3ad1ca0c6360ea53420760d5b97 Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Mon, 29 Mar 2021 15:27:45 +0300 Subject: docs/auth.md: update --- docs/auth.md | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/auth.md b/docs/auth.md index 3b64fd9..4eabcd5 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -25,5 +25,26 @@ When using HTTPS, there're multiple options to access the private repositories. 3. Use per-application passwords. This option is pretty cool. Both GitHub (in the form of "personal access tokens") and Bitbucket (calls them "app passwords") support creating one-purpose passwords that are supposed to be - used by a single app only. They allow to bypass the 2FA also. cgitize will - support this option. + used by a single app only. They allow to bypass the 2FA also. Let's do + this! + +Passing the access tokens to Git is tricky though. First, simply including +them in the clone URL would be incredibly stupid, since that URL is going to be +visible on the cgit web pages. There's an option to use the Git +`credentials.helper`, but I thought that it was quite hard to get right in a +cross-platform way. + +Now, there's `url..insteadOf`. It can be used to make Git rewrite every +URL to include the access token. + +* I don't want to set it permanently to avoid leaking the access token. +* I don't want to set it in the repository's `--local` .git/config, since it is + probably readable by other users. +* I don't want to ever use it on the command line to avoid leaking it. + +Eventually, the option I settled on is to + +1. `chmod 0600 ~/.gitconfig`. +2. Append the section to ~/.gitconfig from Python (_not_ by using `git + config`). +3. Undo everything once we're done. -- cgit v1.2.3