Unauthorized accounts are able to push to my GitHub repository

Question

I have two GitHub profiles. I created a repository using one and created a token through my IDE (PyCharm) and GitHub for the other account so that it can push commits. I had some successful pushes and merges from the other account which makes sense because I had provided a token.

Here is the unexpected part. As part of an experiment, I revoked all generated tokens on GitHub. After doing so, my other account was still able to push to the repo! Being very surprised by this result, I continued the experiment as follows: I ran git config user.email inside the local repo folder to update the email address to a nonsense email address that I'm pretty sure does not exist. Even after this change, I was still able to use git push to push changes to my remote on GitHub. That is, I can see the changes on GitHub. Any idea why that is? Two notes, just in case:

1. During the entire experiment, I was using a single computer (my laptop). Could it be that the generated tokens are stored somewhere and are being used no matter what the current user email address is? Again, all the generated tokens are revoked on the remote (GitHub).
2. There is only one branch, master , on both my local and remote.

Answer 1

user.name and user.email don't control any sort of authentication parameters. The former is a personal name, and the latter is an email address, and they control the name and email address placed in commits you create, either as the author or committer.

Now, GitHub does associate commits with your account based on the email address, but you can push commits for any account (or any email address) to GitHub assuming you have access to the repository. That's because many workflows involve a central maintainer who applies patches from someone and then pushes them to the repository.

As for authentication, if you're using SSH, then the tokens are not used at all. The SSH key you're using is used to authenticate you without a token. You can see the URL, which will tell you the kind of remote, by running git remote -v , which will either start with https:// for an HTTPS remote or ssh:// or git@ for an SSH remote.

If you're using HTTPS, it may be that PyCharm is issuing tokens because it's an OAuth app or GitHub App. Those types of apps can issue tokens that don't appear in the web interface because the web interface only shows personal access tokens, and those aren't personal access tokens.

The general approach to deleting stored passwords and tokens for HTTPS is outlined in the Git FAQ . However, it may be that PyCharm doesn't use a normal credential helper and therefore you may need to expire it by hand using its own tools.

Answer 2

Could it be that the generated tokens are stored somewhere and are being used even no matter what the current user email address is?

The git remote -v listed two https links for fetch and push.

Then check which credential is currently cached by the credential helper

git config --global credential.helper
xxxx  <= take note of that value

# replace xxx by that value
prinft "host=github.com\nprotocol=https" | git credential-xxx get

If it is the credential of the wrong account, delete it with:

prinft "host=github.com\nprotocol=https\nusername=WrongAccount" | git credential-xxx erase