fix: remove plaintext token storage and fix upgrade losing login#160
Merged
Conversation
- Stop writing tokens to ~/.archgate/credentials metadata file - Query git credential manager first in loadCredentials(), independent of the metadata file, so credentials survive upgrades - Add verification round-trip after git credential approve to detect misconfigured credential helpers (approve exits 0 even with no helper) - Auto-migrate legacy plaintext tokens to git credential manager on load - Make GIT_CREDENTIAL_ENV a function to pick up test-time env overrides - Isolate credential tests from system credential store on Windows via GIT_CONFIG_NOSYSTEM and GIT_CONFIG_GLOBAL
Deploying archgate-cli with
|
| Latest commit: |
b3cf9cb
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://28c0f848.archgate-cli.pages.dev |
| Branch Preview URL: | https://fix-credential-store-no-plai.archgate-cli.pages.dev |
When loadCredentials() finds a legacy metadata file with a plaintext token, it now deletes the file and returns null — prompting the user to run `archgate login` again. No migration attempt is made. Also simplifies clearCredentials() to just delete the file without parsing it for legacy token fields.
The ~/.archgate/credentials metadata file was the root cause of the upgrade-loses-login bug and the only place plaintext tokens could exist. - Remove all metadata file read/write logic (writeMetadata, readMetadata) - Remove created_at from StoredCredentials interface - loadCredentials() now only calls git credential fill — no disk I/O - saveCredentials() now only calls git credential approve — no disk I/O - Legacy metadata files are deleted on load/save/clear with a re-login prompt - Update login status to show just the username (from git credential fill) - No docs changes needed — docs don't reference the credentials file
The validate script called `bun test` directly, bypassing the --timeout 60000 flag from the test script. This caused the init idempotency integration test to flake at the default 5s timeout on CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
saveCredentials()no longer writes thetokenfield to~/.archgate/credentials. Only non-sensitive metadata (github_user,created_at) is written to disk. Tokens are stored exclusively in the OS credential manager viagit credential approve.loadCredentials()now queries the git credential manager first, before checking the metadata file. Previously it gated on the metadata file existing — if the file was missing or corrupted after an upgrade, credentials were lost even though the token was safely stored in the OS keychain.git credential approve, a verification round-trip (git credential fill) confirms the token was actually persisted.git credential approveexits 0 even with no credential helper configured, silently storing nothing — this is now detected and the user gets a clear warning.GIT_CONFIG_NOSYSTEM=1andGIT_CONFIG_GLOBAL=<empty file>to isolate from the Windows Credential Manager (system-level API that ignoresHOME).Test plan
bun run validatepasses (lint, typecheck, format, 587 tests, 22/22 ADR checks, build)saveCredentialswrites metadata file WITHOUT token fieldloadCredentialsreturns null when no git credential manager and no legacy tokenloadCredentialsattempts migration of legacy plaintext tokensclearCredentialshandles legacy metadata files with plaintext tokensGIT_CONFIG_NOSYSTEM