When I try to log in on git bash it says "heroku: Press any key to open up the browser to login or q to exit:". I am pressing it, but it's stuck here. It wont open browser for login.
Looks like there is an incident with heroku login! Facing the same issue. Cannot login via the dashboard too.
Have you reset your password yet? They just force reset all passwords that hadn't been updated since a recent breech occurred. I was unable to login this morning and found all my sessions had expired. Once I did the password reset I was able to login again as normal.
Details
Salesforce-owned subsidiary Heroku on Thursday acknowledged that the
theft of GitHub integration OAuth tokens further involved unauthorized
access to an internal customer database.
The company, in an updated notification, revealed that a compromised
token was abused to breach the database and "exfiltrate the hashed and
salted passwords for customers' user accounts."
As a consequence, Salesforce said it's resetting all Heroku user
passwords and ensuring that potentially affected credentials are
refreshed. It also emphasized that internal Heroku credentials were
rotated and extra detections have been put in place.
Official: https://status.heroku.com/incidents/2413
Press: https://thehackernews.com/2022/05/heroku-forces-user-password-resets.html
Related
I am trying to login into my heroku account but that fails with There was a problem with your login.
I have already reset my password and tried logging in from four different browsers on three different machines, to no avail.
I would raise a ticket at the heroku helpdesk but that is not possible without login. Any idea how to proceed on this? I haven't found a traditional hotline to call either...
Heroku experienced a major security incident last month and further determined that an "attack agent" exfiltrated hashed passwords. Because of this incident, Heroku reset all user passwords on May 4.
From the incident page:
Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place.
For now, a password reset to something other than your last password is not a bad idea.
Resetting my password worked for me
When using Heroku Multi-Factor Authentication, is there any way to login via the console without opening the browser?
ubuntu:~/environment $ heroku login -i
heroku: Enter your login credentials
Email [hello#gmail.com]:
Password: ****************
› Error: Your account has MFA enabled; API requests using basic authentication with email and password are not supported. Please
› generate an authorization token for API access.
›
› Error ID: mfa_required
Yes. Basically, to set this up what you want to do is:
Login to Heroku and create an API Token under "Account settings". (You said "without opening a browser", and I'm assuming you mean 'How to authenticate from the command-line'. To set this up you will need to open a browser ... once ;)
In your local machine's home directory, check to see if you already have a file called .netrc. If not, simply create one like so -- touch ~/.netrc.
From there you'll want to append the following to that file (and save):
machine api.heroku.com
login <your-email-goes-here>
password <the-api-token-goes-here>
machine git.heroku.com
login <your-email-goes-here>
password <the-api-token-goes-here>
If you just created the .netrc file you'll want to chmod 600 .netrc to give it necessary permissions.
At this point, you can try the command heroku auth:whoami and hopefully see your user e-mail printed back to you.
FWIW, Heroku does have some docs covering this here, but to be honest, the docs are rather disjointed and I would think unhelpful to someone that's never done something like this before, which is why I tried to go step-by-step.
I hope this is what you wanted and / or someone finds this helpful :)
For multi-factor authentication enabled heroku account, If you can get the API key then there is a simpler way to sign in via CLI. type -> heroku login -i
enter the email id associated with your heroku account and for password you must enter the API key that you got from the account settings page.
Xcode won't let me login to GitHub using my email and password, and is forcing me to use an account and personal access token. Of course, I could just generate a token and log in with that. However, I’d prefer not to have to use tokens - logging in with an email and password is just so much more simple.
Is this normal behavior, and is anyone else experiencing this? Maybe there is a workaround that I'm not aware of?
This is normal behavior. GitHub is deprecating their basic auth with username/password for their API. In fact, when you access them via Xcode with an old account you get an email about it:
Basic authentication using a password to the API is deprecated and
will soon no longer work. Visit
https://developer.github.com/changes/2020-02-14-deprecating-password-auth/
for more information around suggested workarounds and removal dates.
To do this, after you generate the token (recommend the repo token), go to xcode > Preferences > Accounts > GitHub
If SSH is shown: press Enter Password and a new screen appears with a placement for your token. When you enter the token, the protocol will change to HTTPS.
That's it.
Is there a way to revoke an active session on GitLab? I tried to revoke an active session on the active session settings but there is no button to do it.
This is pending, as a feature request in gitlab-org/gitlab-foss issue 59408 and gitlab-org/gitlab issue 27518
This feature existed before, but was removed due to reasons listed in the linked issue.
It was a security issue about "a way for any logged in user (attacker) to escalate his privileges to gitlab administrator if the real gitlab administrator impersonates attacker's account."
So:
to delete a single session you would need the session_id which is no longer exposed in the UI. As a workaround, you can delete all sessions of the user from Rails console:
ActiveSession.list(user).each{ |session| ActiveSession.destroy(user, session.session_id)}
The Merge Request 17462 is in progress.
I have a private repository on my personal Github account that I work on from time to time, but not on a daily basis.
The repository has been cloned using HTTPS (not SSH or git://).
In order to access the repository from the command line, I set up a personal access token as explained here: https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/
I am positive it did work back then (I moved away from SSH precisely because this kind of persistent headache).
However, when I try to push to my repository after a few weeks I get the dreaded:
$ remote: Repository not found. fatal: repository
$ 'https://github.com/nicolas-miari/MyPrivateRepo.git/' not found
What am I missing?
Addendum: I deleted the token on Github, created a new one, and followed the instructions here: https://help.github.com/articles/updating-credentials-from-the-osx-keychain/ to clear the old token stored in the keychain. I was able to re-clone my private repository. However,
This still doesn't explain why the previous access token suddenly stopped working, and
My keychain had two "Internet password" entries matching the host github.com: The access token I just deleted, and the my web login password for a different Github account (work). Maybe this has something to do with it?
Background info: To avoid having to log in/out frequently, I have my work account's web credentials saved in Safari (and the Keychain), and my personal account's web credentials saved in Firefox.
Addendum 2: After running the command given on the linked help page:
$ git credential-osxkeychain erase
host=github.com
protocol=https
[enter]
...the additional password is gone from the Keychain (only my newly added Personal Token remains), however I can still log in to my account on Safari...?
Update: Now I can't push to repos from my work account (which credentials I deleted from Keychain...). This system really needs a healthy dose of Just Works...
I have a private repository that I have a dependency on, using https://github.com... in my package.json. I have ssh set up on my computer, also I have personal access token. Even though I provide my personal access token as the password it fails. So I changed my git config url using the following and it worked like a charm.
git config --global url."git#github.com:".insteadOf "https://github.com/"
You can double check your ~/.gitconfig to see something like this:
[url "git#github.com:"]
insteadOf = https://github.com/
I tried all the suggestions I could find and the only thing that worked for me was deleting Git on my computer. Once I downloading it again it asked me to to login with browser, which I did and then it worked
Don't forget that Safari has access to iCloud Keychain
That could explain why, even though you have cleared your local OSX keychain, you still can log on to GitHub with Safari.
My colleague was facing the same issue on Linux, and we just logged out from the browser and logged back in, and git commands from the terminal started working with PAT, don't know the relation of terminal command with browser authentication but it worked.
Best guess is that the token expired.
At the time of writing, you can set the token expiration period. If you attempt to select "No expiration", the GitHub UI gives the explicit warning:
GitHub strongly recommends that you set an expiration date for your token to help keep your information secure.
When you inspect existing Personal Access Tokens, you can see an indication of when it was last used and when it's due to expire.
Not sure about when this question was asked 5 years ago but, I assume, as this type of auth was optional back in the day the UI was probably less helpful. The OP mentioned using the repo occasionally and if you set up a token for the first time with expiry of 30 or 60 days, it's easy to have forgotten that a couple of months later.