Cannot choose from multiple credentials

[riedel]

printf "url=https://github.com\[email protected]" | git credential fill
May 30 10:00:53.164 INFO Sending change-public-keys request
May 30 10:00:53.166 INFO Sending test-associate request
May 30 10:00:53.169 INFO Successfully authenticated against 1 database(s)
May 30 10:00:53.170 INFO Sending get-logins request
May 30 10:00:56.096 INFO KeePassXC return 2 login(s)
May 30 10:00:56.097 WARN More than 1 matching logins found, only the first one will be returned

[Frederick888]

I tried to ask for a choice from stdin but Git doesn't seem to allow passing user input onto helpers after it's done feeding its own request. Perhaps this is not feasible atm.

[JJRcop]

Someday soon this may become a real problem:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/

[Frederick888]

@JJRcop May I know why the KPH solution doesn't work for you?

This can be potentially solved by having a pop-up UI (like pinentry), but I'm not particularly motivated to do it since it'll pull in quite a few dependencies only to solve some fringe cases imo.

[JJRcop]

@JJRcop May I know why the KPH solution doesn't work for you?

Please forgive me for missing this, it works great. The application may consider notifying when there are multiple matching entries and link to this information.

[Frederick888]

@JJRcop Enable verbose logging -vv.

git-credential-keepassxc/src/main.rs

Lines 548 to 558 in e131992

	if !login_entries_name_matches.is_empty() {
	info!(
	"{} login(s) left after filtering by username",
	login_entries_name_matches.len()
	);
	login_entries = login_entries_name_matches;
	}
	}
	if login_entries.len() > 1 {
	warn!("More than 1 matching logins found, only the first one will be returned");
	}

In terms of the desktop notifications I'd like to keep them minimal. It might be nice to see this message via notification for the first time, but over the time it just becomes annoying imo. Notifications are limited to critical events and those require user intervention for now. If we had too many, a filter would be needed, which is another rabbit hole I don't want to go down into.

[atagen]

hi, I've tried the KPH solution linked above and GCK seems to still be requesting access to the marked entries.

I have followed the instructions exactly (KPH field return enabled in browser options, "KPH: git" field with "false" value on the relevant entry).

any advice?

edit: will followup with edit since it's not worth another comment - keepassxc, when not set to "remember" your login for github, will still prompt using all logins, but GCK will filter them after. in retrospect this should be obvious..

[Frederick888]

@atagen I'd suggest you use -vv to enable info & warning logs first. If it doesn't help, try a debug build with -vvv. Instructions can be found at https://github.com/Frederick888/git-credential-keepassxc/wiki/Troubleshooting

[stdedos]

Would you consider returning the Title (or any unique identifier) of the entries in -vv instead? 😕

For the (modified) example of https://github.com/keepassxreboot/keepassxc-browser/blob/develop/keepassxc-protocol.md#get-logins:

$ cat > ~/a.json <<"EOF"
{
    "action": "get-logins",
    "url": "<snip>",
    "submitUrl": "<optional>",
    "httpAuth": "<optional>",
    "keys": [
        {
            "id": "<saved database identifier received from associate>",
            "key": "<saved identification public key>"
        },
        {
            "id": "<another saved database identifier received from associate>",
            "key": "<saved identification public key>"
        }
    ]
}

EOF
$ jq '.keys[] | .id' ~/a.json 
"<saved database identifier received from associate>"
"<another saved database identifier received from associate>"
$

[bverhagen]

I am hit by this for two repositories of different organizations on Azure DevOps. I guess I can work around it with the KPH or by defining a different git group.

What would solve my case in the most convenient way, is if git-credential-keepassxc would match the URL in keepassxc (exact or take the one with the longest matching path). Is this a possibility or am I overlooking something?

[Frederick888]

What would solve my case in the most convenient way, is if git-credential-keepassxc would match the URL in keepassxc (exact or take the one with the longest matching path). Is this a possibility or am I overlooking something?

git-credential-keepassxc itself doesn't do further filtering based on URLs (like the browser extension, to avoid surprises). At the end of the day, only users themselves know which they want to select and how they want to select. You can combine 'get --raw' with a custom script.

…

On 10/10/24 21:14, Bart Verhagen wrote: I am hit by this for two repositories of different organizations on Azure DevOps. I guess I can work around it with the KPH or by defining a different git group. What would solve my case in the most convenient way, is if git-credential-keepassxc would match the URL in keepassxc (exact or take the one with the longest matching path). Is this a possibility or am I overlooking something? — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCMP7YHCSUHV2VO2EHZQQ3Z2ZHO5AVCNFSM6AAAAABPWNVCHCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBUGY3TQNJYGU>. You are receiving this because you commented.Message ID: ***@***.***>

-- Frederick Zhang PGP: 8BFB EA5B 4C44 BFAC C8EC 5F93 1F92 8BE6 0D8B C11D