On 2025-06-30 at 15:09:06, Michal Suchánek wrote:
> On Mon, Jun 30, 2025 at 02:31:15PM +0000, brian m. carlson wrote:
> > It is in fact desirable because otherwise the user continues to attempt
> > to use the bad credentials and then can never again authenticate
> > successfully, since they are never again prompted for credentials.
>
> My proglem is that the credentials are actually valid, only the
> operation is not. The current behavior erases valid credentials.
Then the server needs to return a 403 or 404 and not a 401. A 401
prompts Git to expire credentials and a 403 or 404 does not. Only the
server knows whether the credentials are actually valid for some access
or not at all.
RFC 9110 § 15.5.2 says this:
The 401 (Unauthorized) status code indicates that the request has
not been applied because it lacks valid authentication credentials
for the target resource.
and § 15.5.4 says this:
The 403 (Forbidden) status code indicates that the server understood
the request but refuses to fulfill it.
[…]
If authentication credentials were provided in the request, the
server considers them insufficient to grant access. The client
SHOULD NOT automatically repeat the request with the same
credentials. The client MAY repeat the request with new or different
credentials.
[…]
An origin server that wishes to "hide" the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).
So the server is incorrect in returning a 401 in this case if the
credentials are actually valid for a different operation on the same
resource.
> > Git doesn't have a behaviour to do so, but you could of course craft a
> > custom credential helper that just rejects the erase command and passes
> > everything else through to another helper. That would achieve your
>
> I do not want to use another helper. I want to preserve the last valid
> credentials.
>
> Of course, using credentials that are not maintained by git at all (such
> as ssh authentication) does not have this problem. Only git-managed
> credentials get erased on invalid operation.
In general, Git does not presently offer this functionality. We could
in theory accept a patch for a config option that makes this work, but I
expect it will lead to hard-to-troubleshoot problems for the exact
reason I mentioned. It will also require an update to the Git FAQ to
disable that option in the example, since we use the exact same
mechanism to delete credentials for users who _do_ want to expire
credentials.
--
brian m. carlson (they/them)
Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
