git-credential-rbw is broken in 1.10.0

Question

git-credential-rbw is broken in 1.10.0

ymatsiuk opened this issue 2 months ago · comments

Yurii Matsiuk commented 2 months ago

Before #132 credentials helper was fetching the entity by its name, now it seems like URI is a priority.

Context:
I have two entries in my vault:

github which holds my GH credentials (e.g. username and password) (URI is set to https://github.com)
https://github.com carved specifically for git-credential-rbw which only contains GH token (no URI)

With the recent change when I push I see the following (was not the case before):

remote: Support for password authentication was removed on August 13, 2021.
remote: Please see https://docs.github.com/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.

Now rbw get --full https://github.com is identical to rbw get --full github and displays the content of github whereas to get the value of https://github.com I have to run rbw get --full github.com. And if I set the URI for both I get this

❯ rbw get --full https://github.com
rbw get: couldn't find entry for 'https://github.com/': multiple entries found: <snip>@github, <snip>@https://github.com
❯ rbw list | grep github
github
https://github.com

We either have to fix credentials helper or revert the change and give it another round of thoughts.
One of the potential fixes could be checking the name first and only if the name doesn't match use the URI instead.

Thanks!

Edit: removing URI from the github secrets works as a workaround, but presents wrong secret in the browser extension

Yurii Matsiuk · Answer 1 · Thu May 02 2024 17:34:54 GMT+0800 (China Standard Time)

I think I ruled this out. This is the solution:

[credential]
	helper = "rbw"
	username = "<username>"

I added username into credentials section of git config then changed my secrets to use email for github web authentication (note: github supports both username and email)

This is what it looks like now:

❯ rbw get --full github
<snip/password>
Username: <snip/email>
URI: https://github.com
❯ rbw get --full https://github.com
<snip/token>
Username: <snip/username>

These secrets don't overlap anymore.

Hopefully this saves someone else's frustration 😉

Edit: I ended up using custom helper:

[credential]
	helper = "!f() { test \"$1\" = get && while read -r line; do case $line in protocol=*) protocol=${line#*=} ;; host=*) host=${line#*=} ;; username=*) user=${line#*=} ;; esac done && test \"$protocol\" = \"https\" && test -n \"$host\" && token=$(rbw get \"$host\" \"$user\") && printf 'password=%s\n' \"$token\"; }; f"
	username = "ymatsiuk"