Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passwords no longer accepted by GitHub for pushing to https repos #1176

Closed
joelostblom opened this issue Oct 4, 2022 · 6 comments · Fixed by #1220
Closed

Passwords no longer accepted by GitHub for pushing to https repos #1176

joelostblom opened this issue Oct 4, 2022 · 6 comments · Fixed by #1220
Labels

Comments

@joelostblom
Copy link

Description

When I try to push from a Git repo cloned with https I see this box:

image

While it says that I could enter my password, this is no longer supported by GitHub and if I do so I am shown this error message:

image

Reproduce

Clone a repo via https, change something and commit it, try to push

Expected behavior

Only mention PAT and include a link to https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls or https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token

Context

  • Extension version: 0.37.1
@joelostblom joelostblom added the bug label Oct 4, 2022
@fcollonval
Copy link
Member

Thanks for reporting @joelostblom

The difficulty here is that this is specific to GitHub and the extension is used with other platforms.

@joelostblom
Copy link
Author

Yeah that makes sense. Maybe the extension could fill the placeholder text dynamically depending on the url of the first remote it finds in the repo? But I understand if that is too complicated for a small feature.

@fcollonval
Copy link
Member

@joelostblom feel free to push a PR to deal with github.com. I don't see another way here.

@shawnesquivel
Copy link
Contributor

shawnesquivel commented Feb 8, 2023

I was able to reproduce the bug when using my password. According to the link mentioned in the error message, only the personal access token [2] should be used.

The reasoning is mentioned as below:
"Password-based authentication for Git has been removed in favor of more secure authentication methods" [1]

My recommendation is to remove the "password" from the password placeholder text as it is not supported by GitHub. When using my PAT token, it pushes as expected, so users should just use that.

It may also be useful to include [2] as an embedded link to the text: "What is my personal access token?" underneath the login

image

[1] https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls
[2] https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token

@shawnesquivel
Copy link
Contributor

shawnesquivel commented Feb 11, 2023

@joelostblom Are you still having this issue? I tried reproducing the bug today by cloning a repository using https, making a commit, and pushing with @jupyterlab/git v0.41.0.

It successfully pushes and I'm not prompted to enter my password. Unfortunately, there are no console logs so it's difficult to say why it's working now.

@fcollonval Any tips on how to navigate this if I can no longer reproduce the bug with the latest version, should I attempt to fix it in v0.37.0?

@fcollonval
Copy link
Member

@shawnesquivel a way to reproduce it without actually having to deal with git command is to temporary modify the Python code to emulate an authentication error.
For example, for the clone action, you could replace the following:

data = self.get_json_body()
response = await self.git.clone(
self.url2localpath(path),
data["clone_url"],
data.get("auth", None),
data.get("versioning", True),
data.get("submodules", False),
)
if response["code"] != 0:
self.set_status(500)
self.finish(json.dumps(response))

by

self.set_status(500)
self.finish(json.dumps({"code": 128, "message": "Invalid username or password"}))

fcollonval added a commit that referenced this issue Mar 3, 2023
…thub (Fix #1176) (#1220)

* modified password placeholder text to only include PAT

* changed placeholder text if remote URI matches github https

* removed redundant type annotation

* get remote for no-auth git pull

* cleaned code and added catch for git clone

* removed comment

* removed old code

* fixed no-case-declarations error in the catch switch block

* fixed and ignored no-case-declaration errors

* removed redundant type annotation

* Update src/commandsAndMenu.tsx

Co-authored-by: Frédéric Collonval <[email protected]>

* updated translation strings and simplified gitPull

* make variable names more descriptive

---------

Co-authored-by: Frédéric Collonval <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
3 participants