gitcreds can inadvertently use oauth token deposited by github's gh cli

Question

gitcreds can inadvertently use oauth token deposited by github's gh cli

maxheld83 opened this issue 3 years ago · 2 comments

I think GitHub's gh CLI may deposit its (oauth!) token in such a way that it may be (inadvertently?) used by gitcreds:

gh auth refresh
Rscript -e "gitcreds::gitcreds_get()"

<gitcreds>
  protocol: https
  host    : github.com
  username: maxheld83
  password: <-- hidden -->

gh::gh_whoami()
#> {
#>   "name": "Max Held",
#>   "login": "maxheld83",
#>   "html_url": "https://github.com/maxheld83",
#>   "scopes": "gist, read:org, repo, workflow",
#>   "token": "gho_...NEf6"
#> }

as per the token prefix, this is an oauth access token, not a PAT.

This has happened to me as I first installed and played around with GitHub's gh (!= r-lib/gh), and then tried to deposit another PAT into gitcreds::gitcreds_set().

Because the two are username-keyed (maxheld83@https://github.com in this case), it appears that setting one (oauth token from gh, or PAT from github ui) will always replace the other.

I'm not sure this is a problem per se, just thought it was a bit odd/unexpected.
Coming from a PAT-world, perhaps it is possible that this can lead to unexpectedly elevated scopes under some scenarios.

(A related problem with more discussion arises in credentials, which doesn't expect username-keyed tokens r-lib/credentials#16)

Answer 1 · 2021-06-18T07:32:31.000Z

Coming from a PAT-world, perhaps it is possible that this can lead to unexpectedly elevated scopes under some scenarios.

The gh cli sets a generic token, that is also used by command line git. I assume this is by design.

gitcreds by default uses the same token as command line git, which is the whole point of it. In fact gitcreds just calls command line git to get/set the credentials.

In general people only want a single token for the a single user, on the same machine. Since all programs have access to command line git's credentials, it is hard to imagine a case when this causes security issues.

It seems like you want to use a different token for GH cli and R packages based on gitcreds. This is surely possible with some extra setup. The exact setup probably depends on the credential helper you use. Which token do you want to use in command line git (and thus RStudio)?

Answer 2 · 2021-06-18T08:19:03.000Z

I have no need for using separate tokens, I was just surprised by this sharing of tokens and confused what's considered good practice here.

Apologies for the noise.

Reopen if you'd like to add 2-3 sentences somewhere appropriate in the docs to point this out.