2

While trying to clone a repo with jgit, passing wrong username to UsernamePasswordCredentialsProvider actually does not result in any error, which is very surprising to me. Why is it working? How is the repo being cloned when the username is incorrect? Tried it with version 4.6.0.201612231935-r and 6.5.0.202303070854-r

I have a function that is trying to clone a git repo, given a username and access token. While trying to handle exceptions for edge cases, I noticed that passing an incorrect username, but correct access token for a specific git url and branch does NOT give any error at all!

` return Git.cloneRepository()
          .setURI(repoDetailsModel.getRepoUrl())
          .setCredentialsProvider(
              new UsernamePasswordCredentialsProvider(
                      "INCORRECT_RANDOM_USER" , repoDetailsModel.getAccessToken()))
          .setDirectory(tempDir)
          .setBranchesToClone(Arrays.asList(REPO_BRANCH_PATH + repoDetailsModel.getRepoBranch()))
          .setBranch(REPO_BRANCH_PATH + repoDetailsModel.getRepoBranch())
          .call();`

But passing incorrect access token does give the expected "not authorized" error. Is this a bug in the jgit library? Does UsernamePasswordCredentialsProvider allow for anonymous access as long as the access token is correct by design?

Deepika Karanji
  • 71
  • 1
  • 5

2 Answers2

2

As noted here, the token can be use alone, as a "username".

String remoteUrl = "https://${token}@github.com/user/repo.git";
CredentialsProvider credentialsProvider = new UsernamePasswordCredentialsProvider("${token}", "");

As long as the token works, the username might be ignored in your case.

"JGit Authentication Explained" explains:

Please note one thing if you are accessing a GitHub repository through HTTPS with an OAuth access token.
The token does not need to be specified in the URL but only given as a user name.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
0

The JGit library just sends the credentials to the Git Repository, and that decides what is "wrong" or "correct".

As said in this answer, GitHub expects the access token as the username, while the repo that you try to access wants to have it as the password. GitHub ignores the provided password, your repository don't care about the username.

tquadrat
  • 3,033
  • 1
  • 16
  • 29