Skip to content

Research: Simplify access to repository tokens for gitserver

Created by: asdine

For Gitserver to be able to clone and fetch repos it needs to get tokens from repo-udpater and frontend. The way it is currently implemented poses several problems:

  • Tokens are stored twice in the database, once in the external service config and once in the external_service_repos table.
  • Tokens are stored on disk by git
  • Gitserver is the main service using these tokens, yet other services need to maintain logic to get these tokens and pass them around

Proposal

  • Write a type/package that provides an unified way of getting a token/clone url for a given repo, and make all services that need to access the token use that type. This type would choose a random external service associated with the repo and read the token from that external service config. (2d)
  • Deprecate/Drop the external_service_repos.clone_url column (1d)
  • Make Gitserver use the new type/package instead of calling the other services to get tokens, and remove/deprecate unecessary endpoints on repo-updater and frontend if any. (2d)
  • (Spike) Write a custom git credential helper to let git ask for a token whenever it's needed. This helper would call a gitserver endpoint to get a token on demand. This way, no token would be stored on disk. (1d)

If this proposal is accepted, the bullet points above would be broken down into multiple issues