Filter by username to return nothing when no match

[siimkaba]

I would like to avoid returning "arbitrary" first password when using in scripts.

diff --git a/src/main.rs b/src/main.rs
index 377fcc0..7595194 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -587,6 +587,8 @@ where
                 login_entries_name_matches.len()
             );
             login_entries = login_entries_name_matches;
+        } else {
+            return Err(anyhow!("No matching logins found"));
         }
     }
     if login_entries.len() > 1 {

Not sure is it a bug or UC for something?

[Frederick888]

It's been a while now but IIRC the motivation was that git-credential-keepassxc should try at least returning one entry as long as KPXC gives us anything, and only use the additional info to 'order' the results [1]. Another thing is that (again, IIRC) when using API keys to fetch repositories, the username doesn't really matter. So a user may have a username mismatch between Git remote URI and KPXC entry but it just happened to work as we didn't do any filtering (and the order of entries from KPXC seems to be stable). So now if we want to tackle this, it's probably better to add a new option then filter out all entries with different usernames no matter how many we received from KPXC, if username is given in the credential request. It can be part of EntryFilters [2] and be made available on both global and local positions. I'm not sure when I can have time to work on this. Contributions welcome. But if you simply use it in scripts, you can bypass git-credential and call git-credential-keepassxc directly with --raw, then write a simple jq [3] filter in the end. And out of curiosity, what is your use case, where you seem to have more than one entry that's got the same URI, and you have to rely on username solely to pin down the entry you want? [1] a30fb54 [2] https://github.com/Frederick888/git-credential-keepassxc/blob/7307382bf067980658afdd31e7a0123deab7931c/src/cli.rs#L412-L416 [3] https://github.com/stedolan/jq

…

On 14/2/23 10:42, Siim wrote: I would like to avoid returning "arbitrary" first password when using in scripts. |diff --git a/src/main.rs b/src/main.rs index 377fcc0..7595194 100644 --- a/src/main.rs +++ b/src/main.rs @@ -587,6 +587,8 @@ where login_entries_name_matches.len() ); login_entries = login_entries_name_matches; + } else { + return Err(anyhow!("No matching logins found")); } } if login_entries.len() > 1 { | Not sure is it a bug or UC for something? — Reply to this email directly, view it on GitHub <#70>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABCMP7ZZ2THLB2FOY3GRPLLWXLBGNANCNFSM6AAAAAAU24JQ44>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Frederick Zhang PGP: 8BFB EA5B 4C44 BFAC C8EC 5F93 1F92 8BE6 0D8B C11D

[siimkaba]

And out of curiosity, what
is your use case, where you seem to have more than one entry that's got
the same URI, and you have to rely on username solely to pin down the
entry you want?

I am using it for scripting, there I want to get back concrete single result or error in case of my typo or missing record in keepassxc store.