diff mbox series

[RFC,3/3] Allow empty user name in HTTP authentication

Message ID 20220513070416.37235-4-Simon.Richter@hogyros.de (mailing list archive)
State New
Headers show
Series Allow configuration of HTTP authentication method | expand

Commit Message

Simon.Richter@hogyros.de May 13, 2022, 7:04 a.m. UTC
From: Simon Richter <Simon.Richter@hogyros.de>

When using a Personal Access Token in Microsoft DevOps server, the username
can be empty, so users might expect that pressing return on an username
prompt will work.
---
 http.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

brian m. carlson May 13, 2022, 11:51 p.m. UTC | #1
On 2022-05-13 at 07:04:16, Simon.Richter@hogyros.de wrote:
> From: Simon Richter <Simon.Richter@hogyros.de>
> 
> When using a Personal Access Token in Microsoft DevOps server, the username
> can be empty, so users might expect that pressing return on an username
> prompt will work.

I don't think this is a good idea.  libcurl relies on CURLOPT_USERPWD
being set to enable authentication, and before the appearance of
http.emptyAuth, it was extremely common for Kerberos users to specify an
empty username to get Git to authenticate properly.  I probably still
have some repositories on my system configured that way.

I believe GitHub can also accept an empty username with a PAT, but it
can also accept a dummy (e.g., "token"), which I would hope Azure DevOps
can do as well.  In such a case, the documentation for Azure DevOps
should just be updated to tell people to specify something like "token"
or their username.
diff mbox series

Patch

diff --git a/http.c b/http.c
index c5af90b1b8..dc71fb75ea 100644
--- a/http.c
+++ b/http.c
@@ -433,7 +433,7 @@  static int curl_empty_auth_enabled(void)
 
 static void init_curl_http_auth(CURL *result)
 {
-	if (!http_auth.username || !*http_auth.username) {
+	if (!http_auth.username) {
 		if (curl_empty_auth_enabled())
 			curl_easy_setopt(result, CURLOPT_USERPWD, ":");
 		return;