[do not merge] use a pure node implementation of git ls-remote#95
[do not merge] use a pure node implementation of git ls-remote#95guybedford merged 23 commits intojspm:0.17from adamburgess:js-git-take-2
Conversation
|
Are you saying that #90 has broken the token case for downloading private Git? If so we should file a separate bug for that!! With the protocol implementation, if you're not using it for anything else it may make sense to check it in here. My worry with the approach is that it only provides https as the protocol, while I was under the impression we currently use the |
|
This is excellent work though - I'd love to get something in along these lines and in other places if it can work out. I guess sharing through a single package makes sense if it is used by the registry as well. |
yes.
Git has 3 methods: git+ssh (with pub/private keys), git+https (dumb), and git+https (smart). This PR implements one function of the smart protocol in javascript. I'll inline my code, will make bugs easier to fix if they pop up. |
|
I think this should be all working now, I've tested with private repos (using username + token). And yeah, you do need username. there are a few articles on github, e.g. https://help.github.com/articles/git-automation-with-oauth-tokens/ which specifically include username |
|
Yeah, looks like this is a limitation of the git protocol. Note that this isn't Github's API, this is a Git operation. Note that per discussion in #97 this has absolutely nothing to do API limits, private repos, or anything else. The only reason private repos are relevant here is because they're the only ones that need any authentication at all for doing git operations. Now, all that said, this use of here's the result for this repo: https://api.github.com/repos/jspm/github/git/refs Perhaps that's worth considering. |
I believe that the reason the git protocol was used is because that it is faster than the API, at least that is what I thought this comment means: #66 (comment) |
|
Thanks @tamird the idea here is to move away from API calls entirely as they get rate limited. git remote-ls doesn't seem to be rate limited at all from what I can tell. |
|
Ah yes - if the API was used, by default that would be 60 requests per hour unauthenticated. That would pretty much force everyone to use a token. |
|
So yes, I guess we will need to bring back the username in the authentication process... #99. |
|
Actually what if we used remote-ls for unauthenticated, and then the API for when authenticated?? |
|
I'm not sure what that comment means, but if we only want tags, there is also https://api.github.com/repos/jspm/github/git/refs/tags. Git operations aren't rate limited? Seems hard to believe, but may it is so. @guybedford since we can make a single API call to get the user name, why can't we just do it for the user instead of having them enter it (which is unusual for tools using oauth)? |
|
@guybedford yeah, that'd work too. |
|
@adamburgess am I right in thinking merging this would be blocked by #99 due to the API needing a username, but apart from that we'd be good to merge? |
|
Yep, I think this would be ok to merge, apart from it completely failing if On 22 Jul 2016 1:17 AM, "Guy Bedford" notifications@github.com wrote:
|
|
Sure, thanks for the update. I've invited you as a collaborator so you can merge as you see fit. |
|
It's taking a little bit of time to do this, mainly the handling of errors. Also, now that the API is involved, it'd make sense to get caching in as well. Thanks for inviting me! I'll probably get some tests in the PR too in that case, though I'm unsure of how exactly to to test private repos |
|
That sounds like a great plan. Please just copy me in when you'd like for code review. |
|
@adamburgess I'm wondering if we should just revert the previous authentication change. Do you think this would make sense? |
|
Reverting the previous authentication change so that we can use a pure-node implementation of the git protocol? That seems backwards. The previous authentication change allowed users to avoid giving real access to their repos to JSPM. You seem to be suggesting trading security for "cleanliness", which is a bad trade in my mind. |
|
@tamird this is purely about the fact that we have a regression with private GitHub accounts, as described in the first response in #95 (comment). |
|
Ah, so the other option is to move that operation to the API as described in I can work on that if you'd like. I really would like to avoid reverting the authentication changes. |
|
As discussed, the worry with the API approach is that it means introducing rate limiting for lookups and it will at least triple the bandwidth for lookups, which can already be quite large (eg try seeing what the output is for Bootstrap for all versions...). |
|
@tamird could we not add the same PR we did to 0.16, to allow username and token or just token both as valid auth options? |
| node_js: | ||
| - "0.10" | ||
| - "0.11" | ||
| - "0.12" |
There was a problem hiding this comment.
We've actually dropped NodeJS v0 support in jspm 0.17 now.
This reverts commit 845ae9d.
|
@adamburgess thanks so much for the update here. I definitely like the suggestion of username and token, with a possible automatic lookup - worth thinking about. Are these changes compatible / complementary with the PR at #102? |
|
username + password doesn't work for API (using plain HTTP authentication), so no. but I think it's a small change to make to ask for username + token oh and FYI: when this finally gets merged I'll cut the entire thing down to just a few commits in total, not 23 ;) |
|
Merged! Thanks for your great work here. |
|
hm. sounded like @adamburgess wasn't quite ready for this to be merged. |
|
wait-- ._. the title is [do not merge] |
|
@adamburgess ah. |
|
@adamburgess you have commit access, so feel free to clean up the branch as you see fit. |
|
@adamburgess since you have commit you should set up travis, too. On Tue, Aug 2, 2016 at 10:25 AM, Guy Bedford notifications@github.com
|
|
let's just hope no one cloned the 0.17 branch in the interim :) |
|
@adamburgess it's probably not a good idea to force-push. You'll have to On Tue, Aug 2, 2016 at 10:30 AM, Adam Burgess notifications@github.com
|
|
sigh, fine how embarassing...the PR was mostly done, apart from error messages which are mostly unhelpful |
|
It's only been 10 minutes, a force push is still ok within this window if you want to clean up the history. I don't mind doing it too quickly if you like. |
|
ok, I've done that. |
|
Thanks. No problem, when you can! |
|
@adamburgess no pressure here, but I just wanted to check up if you plan to come back to this? If not I can go through and pull in these changes manually. |
3 participants
continued on from #94 (which used a loosely cobbled together npm:js-git and npm:nogit), this one uses a library I just made, npm:git-ls-remote-pure. If you like, I can inline it in this PR instead of using an external library - it's a single file.
implementation is quite small, it fetches
https://github.com/user/repo.git/info/refs?service=git-upload-packand parses the response, which is what actual git does. this means no more git! (though jspm registry still uses git...)now, onto the problems
the https git endpoint needs a username and password combo for private repositories (where password can/should be a token).
this was broken by #90 - and note, native git will also fail here.
this can be fixed in two ways
loginproperty, which contains the token's username