cmd/go: Authenticating With GOPROXY #27132
Comments
|
@gopherbot, please add label modules |
|
CC: @FiloSottile |
bcmills
added
the
NeedsDecision
|
Why is basic auth less secure than a bearer token? They both get transmitted unhashed within the secure TLS connection. Anyway, I think adding client authentication mechanisms to GOPROXY without widespread server implementations is premature. |
|
@FiloSottile do you have a suggestion other than a bearer token that is more secure? Thanks! As for basic auth, embedding the user/password in the URL makes it more susceptible for human error to expose the credentials since people can over look that there are credentials in the URL itself. |
In particular, consider that |
|
Closing as duplicate of #26232. |
Summary
The Go command should be able to pass an Authorization Header to the GOPROXY URL. Either through
Authorization: Bearer <token>or a custom header such asx-go-proxy-token.Intro:
The current Go command has two ways to authenticate with a Proxy:
Basic Authentication: by inlining the username/password in the URL i.e.
GOPROXY=https://user:password@example.com go buildRunning the Proxy behind a VPN: blocking access to anyone outside of it.
The first one is not secure while the second one is complex.
We should have a more canonical way of providing user authorization where clients can acquire a token and pass it to the Go command whether through env vars such as
GOPROXY_AUTHor through a file along the lines of~/.netrcand the Go command can then pass it as an HTTP Header to the Download Protocol requests.Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version)?go1.11-rc
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/208581/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/208581/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/n4/35bgdnkd6vlgqrdzbyl0x1ycmhcndx/T/go-build555238269=/tmp/go-build -gno-record-gcc-switches -fno-common"
What did you do?
Tried to install dependencies with a private proxy.
What did you expect to see?
I expect a token-based authentication mechanism.
What did you see instead?
Options are either insecure (inlining basic auth) or complex (setting up a vpn)
The text was updated successfully, but these errors were encountered: