On Tue, Apr 02, 2013 at 03:28:45PM -0400, Jeff King wrote:
> We get redirected somewhere where we provide the (presumably wrong)
> credential again. I do not think that is git's fault; the server asked
> us to make the extra request. Is that part of the lockout procedure? If
> it is not, it seems odd that the server would issue a redirect for a
> bogus auth (shouldn't it just keep giving us 401?).

I think it is supposed to be a catch all failure mode without any
authentication but is just wrong/buggy. I'll try to debug these by
issuing curl commands step by step.

> I do not know what is going on with the redirection there, but I have a
> hunch on the extra auth round-trip.  What does your remote URL look
> like? Does it have your username (e.g., https://user@host/project.git)?

Yes, that's the giturl format I have.

> I have noticed that if curl sees such a URL, it attempts to do a
> password-less authentication itself, before even handing control back to
> git. So my above sequence would become:
>   1. git feeds URL to curl, who makes request
>   2. we get a 401
>   3. curl says "Oh, I have a username; let me try that" and re-requests
>   4. we get another 401, because we need a password
>   5. curl says "that didn't work" and hands control back to git
>   6. git requests a password from the user and gives it to curl
>   7. curl retries with the password, but it's wrong, so that results in
>      a 401, too
> At the end of it, we've now made _two_ failed requests for user X,
> rather than one. I don't know if there's a way to tell curl not to try
> the extra user-only round-trip. But you can strip the username out of
> your URL to avoid it.

It did seem like there was just one GET and 401 return before password
was promptet. I'll tripple check that.

Played around with command line curl a bit and at least it did the right
thing with a URL without username -- failed with 401 after single try --
and with URL without username but username provided -u 'username' which
succeeded or failed on single try based on password.

Don't know anything about curl but maybe git could parse the url for a
username and prompt for the password before the first 401 failure roundtrip
that's now in place. I guess most of this logic is in http.c.

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to