From 928347948975e65e9006f80f0339a4681b4f3a28 Mon Sep 17 00:00:00 2001
From: Jan Lindemann <jan@janware.com>
Date: Thu, 20 Nov 2025 17:32:04 +0100
Subject: [PATCH] make, scripts: Don't unconditionally clone with
 proactiveAuth=basic

Don't unconditionally add proactiveAuth=basic to Git's config during
clone, but only if cloning happens after authentication.

This saves unauthenticated users funny password prompts. On the other
hand, this makes a server setting persistent which could be changed
on the server.

  URL =~ /api/  (or so) => 401, followed by Basic Auth
  URL !=~ /api/ (or so) => Redirect or free access, depending on resource

Currently all resources, including API, are accessible by either
basic auth or a Cookie, but basic auth needs to be present in the
first request, which throws off some clients (notably Git without
proactiveAuth=basic).

Signed-off-by: Jan Lindemann <jan@janware.com>
---
 make/projects-dir-minimal.mk |  6 +++++-
 scripts/pgit.sh              | 15 +++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/make/projects-dir-minimal.mk b/make/projects-dir-minimal.mk
index 0ed08519..e93c515f 100644
--- a/make/projects-dir-minimal.mk
+++ b/make/projects-dir-minimal.mk
@@ -47,6 +47,8 @@ endif
 
 ifneq ($(JANWARE_USER),)
   CLONE_FROM_USER           ?= $(JANWARE_USER)
+  GIT_GLOBAL_OPTS           += -c https.proactiveAuth=basic
+  export GIT_GLOBAL_OPTS
 else
   CLONE_FROM_USER           ?= janware
 endif
@@ -61,8 +63,10 @@ include $(PROJECTS_DIR_INCLUDE_MK)
 $(PROJECTS_DIR_INCLUDE_MK): | $(JWBDIR)
 
 $(JWBDIR):
-	git -c http.proactiveAuth=basic clone $(addprefix -b ,$(JW_BUILD_BRANCH)) $(JWBDIR_GIT_REMOTE) $(JWBDIR)
+	git $(GIT_GLOBAL_OPTS) clone $(addprefix -b ,$(JW_BUILD_BRANCH)) $(JWBDIR_GIT_REMOTE) $(JWBDIR)
+ifneq ($(findstring proactiveAuth,$(GIT_GLOBAL_OPTS)),)
 	git -C $(JWBDIR) config set http.proactiveAuth basic
+endif
 	make $(MAKECMDGOALS)
 
 all: link-makefile.done
diff --git a/scripts/pgit.sh b/scripts/pgit.sh
index e894ea81..e54e7188 100644
--- a/scripts/pgit.sh
+++ b/scripts/pgit.sh
@@ -91,6 +91,15 @@ commit()
 
 clone()
 {(
+	run_clone() {
+		local url="$1"
+		local p="$2"
+		run_git $GIT_GLOBAL_OPTS clone "$url" "$p"
+		if [[ "$GIT_GLOBAL_OPTS" =~ proactiveAuth ]]; then
+			run_git -C $p config set http.proactiveAuth basic
+		fi
+	}
+
 	local p
 	config
 	cd $pdir
@@ -145,8 +154,7 @@ clone()
 			if [ -d $p ]; then
 				run_git -C $p pull --recurse-submodules=on-demand
 			else
-				run_git -c http.proactiveAuth=basic clone $remote_base/$fromuser$remote_subpath/$p
-				run_git -C $p config set http.proactiveAuth basic
+				run_clone $remote_base/$fromuser$remote_subpath/$p $p
 			fi
 		else
 			local remotename="jw-$fromuser"
@@ -166,8 +174,7 @@ clone()
 				fi
 			else
 				# set -x
-				run_git  -c http.proactiveAuth=basic clone $remote_base/$fromuser$remote_subpath/$p
-				run_git -C $p config set http.proactiveAuth basic
+				run_clone $remote_base/$fromuser$remote_subpath/$p $p
 				run_git -C $p remote rename origin $remotename || fatal failed to rename remote in $p
 				run_git -C $p remote set-url --push $remotename no_push
 				if [ $create_remote_user_repos = true ]; then