this post was submitted on 24 Jan 2024
255 points (90.7% liked)

Open Source

31717 readers
172 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

First, they restricted code search without logging in so I'm using sourcegraph But now, I cant even view discussions or wiki without logging in.

It was a nice run

you are viewing a single comment's thread
view the rest of the comments
[–] mozz@mbin.grits.dev 1 points 11 months ago (1 children)

it will probably end up in text files and other such places, and if such a file gets into the wrong hands you'll be in less of a trouble because of the limited permissions

I am abandoning this conversation. This is only true with API tokens. With passwords, it generally stays in the password manager. The fact that the damage from your stolen API token is then mitigated if you've reduced its scope still leaves you in a worse position than if it had never been stored in the text file and never been stolen in the first place. If you can't or won't grasp this central point (or the other I mentioned in my other message), I think we have nothing to discuss.

[–] ReversalHatchery@beehaw.org 1 points 11 months ago (2 children)

The fact that the damage from your stolen API token is then mitigated if you've reduced its scope still leaves you in a worse position than if it had never been stored in the text file and never been stolen in the first place.

First, it's not a question if you have reduced it's permissions. With an api token you simply can't do a lot of things that you can with a password.

Second, you don't use api tokens as a hobby. You use them because you want to use a tool that needs to have access to your account. Either you use an api token that has a limited set of permissions, or your password that can do anything. Independently of that, it will be stored in a plain text file, because where in the heaven would it store it so that it does not need to prompt you for it every single time? Yes, there are a dozen secret store programs that could be used instead, but a lot of programs will not have support for every one of them. I fail to see that in case how a token with fewer permissions is worse than a password with all the permissions.

[–] mozz@mbin.grits.dev 1 points 11 months ago* (last edited 11 months ago)

Case in point. This literally just happened to me just now:

me@My-MacBook content % brew install projectdiscovery/tap/httpx
==> Tapping projectdiscovery/tap
Cloning into '/usr/local/Homebrew/Library/Taps/projectdiscovery/homebrew-tap'...
Username for 'https://github.com': me
Password for 'https://me@github.com': 
remote: Support for password authentication was removed on August 13, 2021.
remote: Please see https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories#cloning-with-https-urls for information on currently recommended modes of authentication.
fatal: Authentication failed for 'https://github.com/projectdiscovery/homebrew-tap/'
Error: Failure while executing; `git clone https://github.com/projectdiscovery/homebrew-tap /usr/local/Homebrew/Library/Taps/projectdiscovery/homebrew-tap --origin=origin --template= --config core.fsmonitor=false` exited with 128.

Boy, I sure am glad I'm more secure now. I think the easiest way to get out of this is literally to make a new API token just for me to be able to type to this command. Time to log in to github and spend a few minutes not accomplishing what I was trying to do originally.

As I said before, using API tokens for genuine automated access, I'm all for. An easy way might be to only support typing passwords on interactive ttys or something, and enforce API tokens otherwise. But as it is, and especially given the fact that they're specifically reducing the security of the interactive case, it's hard not to be irritated when this kind of thing happens.

Edit: Oh, and it made me type my password into the github web site in order to generate the token. Hope no one's shoulder- or camera-surfing me.

Also, I was following old instructions anyway; the command failed and I learned I should have just done brew install httpx. I wish github was configured so I could have learned that 10 minutes ago.

[–] mozz@mbin.grits.dev 1 points 11 months ago* (last edited 11 months ago)

Aha, I think we have arrived at the crux of the confusion.

As I said several times before, I'm extremely in favor of using API tokens that way, when they're being used from an automated workflow where the alternative is to store a password. That's an increase in security, yes.

What I'm irritated about is that my use of git as a command-line tool does not function to interact with github if I just give my github password. I do not have an automated workflow. I'm just using git from the command line, and would like to be able to type my password.

If this reduction in the security and convenience of my daily setup is because github believes, as you do apparently, that the only reason to use the command line is from an automated workflow, that may form a clue as to why they don't give a shit about my preferred workflow or my not wanting to introduce new attack vectors into it. Fair enough. But please don't lecture me on how not letting me just enter my password, and forcing me to store tokens for my interactive workflow, is better. Because for me, it isn't.

Glad we had this talk.