TokenAuth not working as expected

[mccurdyc]

I expect the following to clone a private repository using a personal access token.

...
	r, err := git.PlainClone(<directory>, false, &git.CloneOptions{
		URL:               <url>,
		RecurseSubmodules: git.DefaultSubmoduleRecursionDepth,
		Auth: &http.TokenAuth{
			Token: <personal_access_token>,
		},
	})
...

git clone https://github.com/mccurdyc/private-repo simple --recursive
error: unexpected client error: unexpected requesting "https://github.com/user/private-repo/info/refs?service=git-upload-pack" status code: 400

It looks like GitHub should support it:
https://blog.github.com/2012-09-21-easier-builds-and-deployments-using-git-over-https-and-oauth/

git clone https://<personal_access_token>@github.com/user/private-repo.git

---

As a side note, looks like the following work:

curl -H 'Authorization: Bearer <personal_access_token>' https://github.com/api/user/repos?visibility=private

curl -H 'Authorization: token <personal_access_token>' https://github.com/api/user/repos?visibility=private

The current implementation of TokenAuth in go-git does something similar to 2, except would only work for GitHub's API and not for cloning.

@smola added some context to this previously here

Also, this goplayground example aligns with the GitHub post in that you would send the token as username.

Next, you can simply use an OAuth token for the username and either a blank password or the string x-oauth-basic when cloning a repository.

[smola]

It seems to me that this work as intended: GitHub accepts using personal access token with basic HTTP authentication (that is go-git's BasicAuth).

Most modern git hostings recommend using HTTP's basic user:pass authentication for OAuth2 tokens. However, this varies from host to host. GitHub uses <token>: or <token>:x-oauth-basic. Bitbucket uses x-token-auth:<token> (docs). GitLab uses oauth2:<token> (SO).

All of these use cases should be handled with go-git's BasicAuth, which does exactly what GitHub, Bitbucket or GitLab documentation recommend to do.

go-git's TokenAuth does not use basic HTTP auth, it works by adding an HTTP header (Authorization: Bearer <token>). See https://github.com/src-d/go-git/blob/master/plumbing/transport/http/common.go#L213
It seems at some point that was the way to go with Bitbucket, but not anymore. I don't think it's a good idea to create a new TokenAuth implementation that hardcodes all known git providers in order to decide what to do with OAuth2 tokens for each of them. Users should refer to their documentation and use BasicAuth.

I would recommended removing TokenAuth completely in go-git v5.

[mccurdyc]

@smola I think removing TokenAuth is a great idea unless there is an absolute need to keep it.

At least for me, it added much more confusion because I really didn't understand the use case, because like you said, providers such as GitHub, BitBucket and GitLab support basic HTTP auth.

You can close this issue if you want or leave it open for when this gets addressed in go-git v5.

[smola]

@mcuadros Should we update TokenAuth godoc to deprecate it and recommend BasicAuth? Then removing it in go-git v5...