Security: Api endpoints should not expose user credentials

[arsher]

No description provided.

[dcoric]

Git-Proxy SSH Implementation Summary

Completed Features ✅

1. SSH Server Implementation

• Added a new SSH server component to handle SSH protocol communications
• Server listens on port 2222 (configurable, the default will be port 22)
• Integrated with the existing proxy chain architecture

2. User Authentication Enhancement

• Extended user model to include public SSH keys
• Added support for multiple SSH keys per user
• Implemented user lookup and authentication based on SSH public keys

// User can now store multiple SSH keys
const user = {
  username: string,
  gitAccount: string,
  publicKeys: string[]  // Added this field
}

3. CLI Enhancement

• Added new CLI command for managing SSH keys
• Users can add their public keys through the CLI

git-proxy keys add <public-key>  # New command

4. SSH Authentication Flow

• Implemented SSH handshake process:
  1. Client connects with SSH key
  2. Server looks up user by public key
  3. If authenticated, request enters the proxy chain
  4. Chain processes request similar to HTTPS workflow

5. Proxy Chain Integration

• Modified proxy chain to handle SSH connections
• Maintained consistent authorization and validation steps regardless of protocol

In Progress 🔄

Enhanced Remote Communication

• Extending pullRemote.js to support both SSH and HTTPS protocols
• Protocol selection based on user request and configuration (hardcoded for GitHub initially as POC)

// Current implementation being enhanced
if (gitProtocol === 'ssh') {
  // SSH protocol using native git
  cloneUrl = action.url.replace('https://github.com/', '[email protected]:');
  execSync(`git clone ${cloneUrl}`, {
    cwd: action.proxyGitPath,
    stdio: 'pipe',
  });
} else {
  // HTTPS protocol using isomorphic-git
  await git.clone({
    fs,
    http: gitHttpClient,
    url: cloneUrl,
    onAuth: () => ({
      username,
      password,
    }),
    dir: `${action.proxyGitPath}/${action.repoName}`,
  });
}

To Do 📝

1. UI Enhancements

• Add SSH key management to user interface
  • Add new SSH keys
  • Delete existing keys
  • View all registered keys
• Implement user-friendly key validation and formatting

2. Complete SSH Operation Support

• Ensure all Git operations work seamlessly over SSH:
  • Clone
  • Push
  • Pull
  • Fetch
  • Other Git operations

Architecture Overview

sequenceDiagram
    participant Client
    participant SSHServer
    participant ProxyChain
    participant GitHub

    Client->>SSHServer: SSH Connection with Key
    SSHServer->>SSHServer: Authenticate via Public Key
    SSHServer->>ProxyChain: Forward Request
    ProxyChain->>ProxyChain: Process Request
    ProxyChain->>GitHub: Execute Git Operation
    GitHub->>ProxyChain: Response
    ProxyChain->>SSHServer: Forward Response
    SSHServer->>Client: Return Result

Loading

This implementation provides a more secure and flexible way to interact with Git-Proxy, allowing users to leverage SSH keys for authentication while maintaining all the security and control features of the proxy chain.