C
Coder.com•9mo ago
mark

Gitlab git functionality not working after token refresh after workspace is created

Hey all, I'm using Gitlab external auth for my git functionality currently. The GIT_ASKPASS interraction works just fine when I create a new workspace, but after ~12h or so (seemingly this line up with the tokens expiration + renewal but I'm not positive) I start seeing the folowing error:
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'MY_REPO'
remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See https://gitlab.com/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'MY_REPO'
This is strange, as if I run coder external-auth access-token gitlab within that workspace the token it produces works with git if I simply set the user to oauth2 and the the password to that token in my git repo using git remote set-url origin https://oauth2:MY_TOKEN@MY_REPO, but ofc once the token refreshes that no longer works. I'm not doing any of that on the workspace startup, but I am setting GIT_USERNAME and GIT_PASSWORD since I'm using envbuilder: the git actions work during build with those and, once the workspace is created, I see no GIT-related environment variables other than those I'd expect with a vanilla configuration:
$ env | grep GIT
GIT_SSH_COMMAND=/tmp/coder.X2w8uz/coder gitssh --
GIT_COMMITTER_NAME=removed
GIT_ASKPASS=/tmp/coder.X2w8uz/coder
GIT_AUTHOR_EMAIL=removed
GIT_COMMITTER_EMAIL=removed
GIT_AUTHOR_NAME=removed
$ env | grep GIT
GIT_SSH_COMMAND=/tmp/coder.X2w8uz/coder gitssh --
GIT_COMMITTER_NAME=removed
GIT_ASKPASS=/tmp/coder.X2w8uz/coder
GIT_AUTHOR_EMAIL=removed
GIT_COMMITTER_EMAIL=removed
GIT_AUTHOR_NAME=removed
Any ideas?
Solution:
GitHub
fix: do not inject GIT_USERNAME and GIT_PASSWORD into git clone URL...
Fixes #126 We had been writing the GIT_USERNAME and GIT_PASSWORD into the git auth URL as well as setting basic HTTP auth credentials. This causes GIT_USERNAME and GIT_PASSWORD to be present in the...
Jump to solution
7 Replies
Codercord
Codercord•9mo ago
Category: Help needed Product: Coder OSS (v2) What platform are you hosting Coder OSS (v2) on?
mark
markOP•9mo ago
O, weird... somehow the oauth2:password is getting into the project's .git/config 🤔 Seems like I can't get envbuilder not to clone the repo in a way that hardcodes the credentials into the .git/config file. As a workaround I'm removing that in the startup script. I don't see any way to influence that configuration.
Phorcys
Phorcys•9mo ago
hey @mark, could you open an issue in the GitHub repo? you will get a faster answer https://github.com/coder/coder/issues
mark
markOP•9mo ago
GitHub
Gitlab oauth2:token being written to .git/config file after cloning...
I'm using envbuilder 0.2.9 and allowing my users to set the branch portion of the GIT_URL (by using a parameter in the #refs/heads/${data.coder_parameter.repo_branch.value} value) in new worksp...
mark
markOP•9mo ago
@Phorcys This strikes me as more of an envbuilder issue so I opened it there. I haven't done any digging yet tho as I'm strapped for time but if I get a second I may open a PR.
Phorcys
Phorcys•9mo ago
alright!
Solution
Atif
Atif•8mo ago
GitHub
fix: do not inject GIT_USERNAME and GIT_PASSWORD into git clone URL...
Fixes #126 We had been writing the GIT_USERNAME and GIT_PASSWORD into the git auth URL as well as setting basic HTTP auth credentials. This causes GIT_USERNAME and GIT_PASSWORD to be present in the...

Did you find this page helpful?