Search code examples
gitazure-devopslibgit2sharp

libgit2sharp usernamepasswordcredentials appears to ignore username?

We are using GIT for deployment and it's all working splendidly. At the moment I'm writing functionality to allow a client to switch to another Deployment repository - after all we may at some point decide to start deploying from a different location, right?

We create the repository in Azure and we Generate GIT Credentials using the button after creating the Repository: enter image description here

So I present the user with a form where they can enter a new URL, a Username and a Password, and then I go check .... (vb.net code)

    Dim oCH As LibGit2Sharp.Handlers.CredentialsHandler = Nothing
    Dim oItems As IEnumerable(Of LibGit2Sharp.Reference) = Nothing
    Dim oCred As LibGit2Sharp.UsernamePasswordCredentials = Nothing

    Try
        oCred = New LibGit2Sharp.UsernamePasswordCredentials
        oCred.Username = tbBuildsCredential.Password
        oCred.Password = tbBuildsPassword.Password
        oCH = New LibGit2Sharp.Handlers.CredentialsHandler(Function(_url, _user, _cred) oCred)
        oItems = LibGit2Sharp.Repository.ListRemoteReferences(url:=tbBuildsRepository.Text,
                                                              credentialsProvider:=oCH)
        If oItems Is Nothing Then
            Return False
        End If
    Catch ex As Exception

(I'll leave out the error handling and clean up code in Finally as it's not relevant)

Ok - so I'm testing this and I enter a valid repository URL in azure devops:

https://<ourcompanynamehere>@dev.azure.com/<ourcompanynamehere>/<projectnamehere>/_git/<repohere>

I use a valid username and password and it's all fine and dandy, it returns an oItems object, its .Count > 0 ... happy days. So I try it with some invalid values to see what happens... An invalid URL returns this remote has never connected - happy days! So I try it with a correct URL but an invalid Username.... whoa wait.... it still comes back with a valid oItems object??? When I mutilate the password, once again it comes back with this remote has never connected, but it seems like the Username is completely ignored.

Is this a bug in dev.azure.com's way of doing GIT? Is this something I need to worry about? Why have a "username" at all if it gets ignored anyway?

Solution

  • Is this a bug in dev.azure.com's way of doing GIT? Why have a "username" at all if it > > gets ignored anyway?

    Nope, this is the expected action since you are using Git Credential Manager (GCM) to generate the password.

    In fact, it is not an officially password. What it generated is a Personal access token after you click the button Generate Git Credentials, and its scope only to Repos(Read&Write).

    At this time, go Security(https://dev.azure.com/{orgname}/_usersSettings/tokens) page, you will see there has one token be added which Token name is like git: https://dev.azure.com/{orgname} on {machine platform}.

    enter image description here

    For Personal access token, I'm sure you'd known that the PAT token are tied to a single user account when it generated. In another word, you doon't need input the username additionally while using PAT as authorize method. That's why the username get ignored anyway.

    You can also check this doc to get How the Git Credential Managers works

    Is this something I need to worry about?

    Just treat it as password to keep secret will not cause too much issue.

    Most of time, you don't need worry it. Because this token will expired very soon, will not longer than 1 day.

    Also, as I mentioned above, the scope of this token are only to Repos with Read&Write permission. Even if someone accidentally gets this token, they can not make operation outside the Repos.