I published an existing project to GitHub from Visual Studio 2017 Team Explorer (C++.)  Is my public (and local?) repo protected by a password?  I'm ready to start using version control, myself, to learn from and I want to make sure someone can't go to my public repo and delete or edit.  There seems to be some suggestion about cloning, but I haven't done this.  Am I protected by a password?  When I set up the account a month ago I seem to remember creating a password and I set up an organization that I'm an owner to.  I am never issued with a password request on the internet or from team explorer, is there a simple secure method of security, or am I already protected?

Thank you,

Josheir

Depends on what you see as "password protected" when it comes to public repos.

GitHub uses passwords to prevent unauthorized users from modifying your repository (e.g. writing to it, making changes, pushing to it).

However anyone can see everything you pushed to your public repos, download it (either via clone or pulling), and fork your repository, without needing a password. They can also make their own changes and upload those changes to their own forks.

If you go to https://github.com/settings/keys you might see that you've created an SSH key.  You would need that key to make changes to your GitHub repos remotely.  It's possible it was all set up behind the scenes for you by Team Explorer.

If you go to https://github.com/settings/security you might see that you have a current OAuth token.  That means you've obtained an OAuth token (ie. logged in) at some point from your current machine and it's being stored somewhere for use by things that use OAuth tokens, like maybe Team Explorer and certainly your browser.

Just now, Matias Goldberg said:

GitHub uses passwords to prevent unauthorized users from modifying your repository (e.g. writing to it, making changes, pushing to it).

This seems to be what I desire.  Perhaps this is all happening behind the scenes.  Like I said I am never prompted for the password and I am logging in form one computer and pushing form the other.

Just now, Bregma said:

If you go to https://github.com/settings/keys you might see that you've created an SSH key.  You would need that key to make changes to your GitHub repos remotely.  It's possible it was all set up behind the scenes for you by Team Explorer.

There is one key not used.  I change things remotely so I assume this was set up behind the scenes?

Just now, Bregma said:

If you go to https://github.com/settings/security you might see that you have a current OAuth token.  That means you've obtained an OAuth token (ie. logged in) at some point from your current machine and it's being stored somewhere for use by things that use OAuth tokens, like maybe Team Explorer and certainly your browser.

I have two sessions and I have logged in from two computers so i am assuming whatever these tokens are, they are being handled by both of my computers : one for my browser and one for Team Explorer.  Under recovery tokens there are none.

I'm not trying to get to bogged down, I'm just trying to get the feel for the software and was wondering why I am never being asked for a password?  I don't know how important the key and the OAuth tokens are, is it a go?  Like I said mainly I just don't want people changing my actual code.

Thanks,

Josheir

When you push to your repo, one of three things should happen (assuming you rebooted your computer):

1. The tool you're using to push to github asks for your password.
2. The tool you're using to push to github asks for your SSH password to decrypt it.
3. You're not asked. That means the tool either has your github password stored in plain text somewhere on your hard drive, or the SSH key is stored unencrypted somewhere on your drive; which I dislike because anyone with access to your computer (i.e. someone steals your PC, breaks into your home, or infects your system with a virus/trojan) could steal your password and/or SSH key.

If you're in option 3; I'd advise about looking into the settings of your tool online so that it doesn't save the password, or so that your SSH key is encrypted. Every time you reboot your PC, your tool should ask you for the password if security is what concerns you.

13 hours ago, Josheir said:

14 hours ago, Bregma said:

If you go to https://github.com/settings/keys you might see that you've created an SSH key.  You would need that key to make changes to your GitHub repos remotely.  It's possible it was all set up behind the scenes for you by Team Explorer.

There is one key not used.  I change things remotely so I assume this was set up behind the scenes?

14 hours ago, Bregma said:

If you go to https://github.com/settings/security you might see that you have a current OAuth token.  That means you've obtained an OAuth token (ie. logged in) at some point from your current machine and it's being stored somewhere for use by things that use OAuth tokens, like maybe Team Explorer and certainly your browser.

I have two sessions and I have logged in from two computers so i am assuming whatever these tokens are, they are being handled by both of my computers : one for my browser and one for Team Explorer.  Under recovery tokens there are none.

You can check to see what protocol you're using to push to GitHub.  I don't know how your GUI tool  would handle it, but from the command line "git remote -v" will tell you all you need to know on the topic.  You can also examine the text file .git/config in your local working tree and check the "url" line in the "remote" stanza.

GitHub supports two protocols for a push operation: HTTPS (which will ask for a password each time) and SSH (which will use the public key you saw at https://github.com/settings/keys.

There may be one more possibility if you're not using the SSH key and you're not getting prompted for passwords: somehow an OAuth token has been set up and is in use by Team Explorer.  Look at https://github.com/settings/developers and https://github.com/settings/tokens to see if there is anything there.

OAuth acts as a sort of persistent login.  It's like having a key to your hotel room: you need to authenticate once to the hotel desk clerk by showing your passport and leaving your credit card imprint, they then hand you a key you can use to come and go as you please until your registration expires.  WIth OAuth, you're prompted for your password once through your browser, and then every time you return to the web page, you (silently behind the scenes) show your token to prove you had the right credentials at some point.  So, you were probably prompted for your password at some point in the past and have been using your OAuth token since then.  It will expire at some point and you will have to use your password again.

Either way, unless you take extraordinary measures, no one can push to or delete your repositories at GitHub unless you have explicitly granted them permission to do so either by adding them as a team member or adding them as a collaborator.

No one can change or delete your local repos unless they have physical access to your machine (which is not specifically a git problem) or you have incorrectly set up a git server running on your machine.  Note that it takes a lot of time and effort to set up a git server, it's not something you could accidentally do.

Just now, Bregma said:

Either way, unless you take extraordinary measures, no one can push to or delete your repositories at GitHub unless you have explicitly granted them permission to do so either by adding them as a team member or adding them as a collaborator.

No one can change or delete your local repos unless they have physical access to your machine (which is not specifically a git problem) or you have incorrectly set up a git server running on your machine.  Note that it takes a lot of time and effort to set up a git server, it's not something you could accidentally do.

By "either way" and these two paragraphs do you mean that know matter how its working my repo is protected by a password or a SSH key?  That is a different computer can not access my repo without my password no matter how my software is working?

I checked with the remote command and I looked at the config file and they displayed the url for fetch and push.

I looked at the SSH link and deleted the unused SSH and there was no effect.

I clicked on the links for Oauth and one link said: no Oauth applications, and the other link asked if i would like to generate a personal token.

Just now, Matias Goldberg said:

...That means the tool either has your github password stored in plain text somewhere on your hard drive

According to Matias one of three options is happening, so I assume since I'm not using an SSH key and I'm not being asked for the password that the password is being stored in a working manner on my harddrive, right?

I think I'm just looking for general security, that is protection from other computers changing my own source code on the GitHub server.  I think this will be secure enough.

Thanks for your help, I really want to get going on this project but I want to be sure that my code won't be modified.

Josheir

Well I went for a walk and was thinking maybe I should try a new local repo to understand this password entering problem.

So upon doing so I encountered "Sign Out" under Team Explorer - Home - Projects - Manage Connections.  This seems to have done the trick, Visual Studio is now asking for my Username/Email and Password when Connecting.

That's all it was, should be problem solved I think.  You all agree?

Thank you,

Josheir 

Looks that way