Web lists-archives.com

Re: [RFC PATCH v1] http: add http.keepRejectedCredentials config




On Mon, Jun 04, 2018 at 12:18:59PM -0400, Martin-Louis Bright wrote:

> Why must the credentials must be deleted after receiving the 401 (or
> any) error? What's the rationale for this?

Because Git only tries a single credential per invocation. So if a
helper provides one, it doesn't prompt. If you get a 401 and then the
program aborts, invoking it again is just going to try the same
credential over and over. Dropping the credential from the helper breaks
out of that loop.

In fact, this patch probably should give the user some advice in that
regard (either in the documentation, or as a warning when we skip the
rejection). If you _do_ have a bogus credential and set the new option,
you'd need to reject it manually (you can do it with "git credential
reject", but it's probably easier to just unset the option temporarily
and re-invoke the original command).

-Peff