Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NuGet.org login authentication workflow for dotnet nuget push #10658

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

chrisraygill
Copy link
Contributor

Proposal to create a workflow to push to NuGet.org via the dotnet nuget push command by NuGet.org account login in the CLI or the browser.

Issue: #10657

@zivkan
Copy link
Member

zivkan commented Mar 11, 2021

The PR title "first draft" is really unhelpful.

@chrisraygill
Copy link
Contributor Author

The PR title "first draft" is really unhelpful.

Oops, I didn't realize that's what the title became, must have made a mistake somewhere 😅 Thanks for the pointer!

@chrisraygill chrisraygill changed the title First draft NuGet.org login authentication workflow for dotnet nuget push Mar 11, 2021
@chrisraygill chrisraygill self-assigned this Mar 11, 2021
2. Login to NuGet.org using MSA.
3. Create an API key with the correct permissions/scope. Beginners will be presented with potentially overwhelming options and technical terms like expiration time, scope, unlist, and glob pattern. This is complicated enough, we have an entire [doc on how to do it securely](https://docs.microsoft.com/en-us/nuget/nuget-org/scoped-api-keys).
4. Either store the API key securely. Beginners will need to do research on how to do this or may insecurely store the API key in plaintext. The best way to do this in Windows is with `nuget setapikey`, which currently has no support on MacOS or Linux.
5. Push the package using the very long `dotnet nuget push <package id> --api-key <api key> --source https://api.nuget.org/v3/index.json` command, which is unlikely to figure out without copying from docs.
Copy link
Contributor

@loic-sharma loic-sharma Mar 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You really shouldn't do this. You're leaking your API key in plaintext. Remember that most operating systems store your command history to disk (like the .bash_history file).

The nuget setapikey is nominally better as you only need to leak your key once...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which part, number 5?

Copy link
Contributor

@loic-sharma loic-sharma Mar 11, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I meant that you should avoid providing the --api-key through the dotnet nuget push command.

@JonDouglas
Copy link
Contributor

JonDouglas commented Mar 12, 2021

Ideally use oauth / sign into a NuGet / MSFT account via a link in the CLI which upon callback will authorize & allow a user to push.

This would effectively "login" the user to the NuGet account & upon further package management operations can be used as an identity source.

In an ideal world, this would effectively mean that two newly introduced commands are needed such as dotnet nuget login and dotnet nuget logout. Another flow might be to login -> push in addition to the URL flow proposed already.

<!-- What other designs have been considered and why weren't they chosen? -->
<!-- What is the impact of not doing this? -->

## Prior Art
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also consider https://github.com/Microsoft/artifacts-credprovider as prior art. This is Azure Artifact's NuGet credential provider, and I believe already does what this proposal is about, just for Azure Artifacts URLs, rather than nuget.org.


## Motivation

1. API keys can be a pain to use in many circumstances, especially for beginners. To securely upload a package to NuGet.org via the CLI you need to:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it would be useful to run usability studies on our current nuget push flow to validate this hypothesis?

4. Either store the API key securely. Beginners will need to do research on how to do this or may insecurely store the API key in plaintext. The best way to do this in Windows is with `nuget setapikey`, which currently has no support on MacOS or Linux.
5. Push the package using the very long `dotnet nuget push <package id> --api-key <api key> --source https://api.nuget.org/v3/index.json` command, which is unlikely to figure out without copying from docs.
2. Alleviate pain for authors who are frustrated by expiring API keys.
3. Reduce risk of simple mistakes with API keys that lead to security vulnerabilities such as accidental leaks to a public repo or storing the API in plaintext to avoid hassle.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds like it is a nice to have. It's really not, we have a rampant API key leak problem. Can/should we spice this up?

I know this is a public spec, but could we add how many API leaks we've detected in the past year to help quantify this problem?

@AraHaan
Copy link

AraHaan commented Apr 25, 2021

I would prefer the --api-key to die out in favor of an NUGET_API_KEY secured environment variable that must be set and then the program reads it from the environment, perfect for CI cases as well too so then things like the github actions for publishing nuget packages no longer is required to pass in the api key and instead forces nuget to use that specific environment variable (provided the user named the environment variable that name).

@loic-sharma
Copy link
Contributor

@AraHaan That is an interesting idea. That is something we should definitely consider, especially for the CI scenarios.

However, the primary motivation for this spec is to avoid API keys altogether in interactive scenarios as:

API keys can be a pain to use in many circumstances, especially for beginners.
...
No need to learn how to securely create an API key, store the API key securely, or worry about leaks and expirations.

We believe this feature will help convert a dotnet CLI users in a NuGet package author.

@JonDouglas
Copy link
Contributor

Any volunteers who would like to take this proposal up to get it merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants