Home > database >  Storing / editing Github Access Tokens in Windows Credential Manager
Storing / editing Github Access Tokens in Windows Credential Manager

Time:09-21

I am currently working on a project that allows me to work with 2 Github accounts (work / private). I am building a NodeJS CLI that takes a username as a parameter and updates the following values accordingly:

git config --global user.name USERNAME
git config --global user.email EMAIL

Updates Windows credential manager with the following values:
USERNAME, PERSONAL-ACCESS-TOKEN

The email and personal access token are stored safely, and retrieving them is not the problem here. I am using Windows Credential Manager to store my Git credentials, but when I look into my Credential Manager, I have 2 separate entries that can be used for GitHub authentication:

  1. vscodevscode.github-authentication/github.auth --> username: github.auth
  2. git:https://github.com --> username: PERSONAL USERNAME

I understand that since a short while, Github is using tokens to authenticate its users. And that the preferred way of storing these credentials is with the URL-syntax (https://USERNAME:[email protected]/LINK_TO_REPO), but this only works per repository. I am looking for 1 command to change the Git authentication (for GitHub) globally.

So is it possible for VS Code (I am using GitLens plugin, and VS Code authenticates itself to GitHub) to use a custom username Personal Access Token stored in a file somewhere, instead of the github.auth account credentials? Or for that matter, stored in Windows Credential Manager, where I have access to read and edit them?

And does GitHub accept the Personal Access token if Windows Credential Manager stores / passes it as a password?

CodePudding user response:

It is not the case that the preferred way of storing tokens is in the URL. Git upstream specifically discourages that because it leaves credentials in plaintext in the repository where they can be read by anyone, which is completely insecure.

The preferred way is using a credential manager, of which there are two possibilities on Windows: wincred, which uses the Windows Credential Manager, and manager, which is Git Credential Manager Core (which may also use the Windows Credential Manager or something else). You may also use the store backend, which stores in a plaintext file, although this is only slightly better than storing in the URL. The preferred backend can be set in Git by setting the credential.helper value. The Git FAQ covers this in some detail.

The Git FAQ also mentions how to set up multiple accounts over HTTP. It is relatively simple and will work automatically with your credential helper if you use one. Note that you may need to tell VS Code to leave itself out of the authentication process; I can't really speak to how to do that since I don't use VS Code.

With the way that Git does authentication over HTTPS right now, whether you use a token or a password, it is passed the same way: as the password using Basic authentication. That's true even though GitHub doesn't accept passwords: the token is still passed in the password field for Basic auth, and anything that is not a token is rejected.

Finally, note that user.name is not a username. The Git FAQ specifically mentions that it is a personal name (e.g., the maintainer of Git has it set to “Junio C Hamano”) and has nothing to do with authentication. This is the author and committer name that is used in commits that you create.

  • Related