//nbkelley /homelab

Git Push Authentication

Calendar May 1, 2026
Git, Github, Authentication, Troubleshooting, Pat

Git Push Authentication#

What Was Established#

  • GitHub deprecated password authentication for Git over HTTPS. Even if passwords worked previously, they are now rejected with password not supported.
  • Personal Access Tokens (PAT) or SSH keys are required for authentication.
  • 403 Permission Denied errors typically indicate stale cached credentials or insufficient token scopes.

Key Decisions#

  • Use Personal Access Tokens (PAT) for HTTPS Git operations.
  • Classic tokens require the repo scope for private repositories.
  • Fine-grained tokens require Contents (Read and write) and Metadata (Read) permissions, explicitly scoped to the target repository.

Current Configuration#

  • GitHub Username: NK-Iluvatar
  • Target Repository: MBTADashboard
  • Remote URL: https://github.com/NK-Iluvatar/MBTADashboard.git

Historical Notes#

  • Password Deprecation: GitHub enforced its 2021 policy change retroactively, blocking account passwords for Git operations over HTTPS.
  • 403 Troubleshooting: Resolved by clearing cached credentials (git credential reject or OS credential manager) and verifying token scopes (repo for classic, Contents for fine-grained).
  • Token Testing: Verified token validity using curl -H "Authorization: token TOKEN" https://api.github.com/user.

Open Questions#

  • None.

Sources#

  • DeepSeek conversation (2026-02-18) regarding MBTADashboard push failures and PAT configuration.

Git Push Authentication

Calendar May 1, 2026
Git, Github, Development, Troubleshooting

Git Push Authentication#

What Was Established#

Patterns for resolving Git push authentication issues and handling divergent branches when working across multiple machines.

Key Decisions#

  • Multi-machine workflow: Always git pull before starting work; commit and push when done.
  • Divergent branch resolution: When local and remote have diverged, use git pull --no-rebase (merge) for safety or git fetch origin && git reset --hard origin/main to discard local commits for remote-only state.

Resolving Divergent Branches#

Symptom#

hint: You have divergent branches and need to specify how to reconcile them.
fatal: Need to specify how to reconcile divergent branches.

Option 1: Merge (preserves both histories)#

git pull --no-rebase
# Or set as default:
git config pull.rebase false

Option 2: Rebase (local commits on top of remote)#

git pull --rebase
# Or set as default:
git config pull.rebase true

Option 3: Discard local, use remote only#

git fetch origin
git reset --hard origin/main

Option 4: Fast-forward only (fails if diverged)#

git pull --ff-only

Multi-Machine Workflow#

When working from multiple machines on the same repo:

MBTA Dashboard - Setup

Calendar May 1, 2026
Services, Dashboard, Mbta, Nginx, Nodejs, Proxy, Deployment, Pm2, Github

MBTA Dashboard - Setup#

What Was Established#

Office transit dashboard deployed on a self-hosted Debian VM (PLT-MBTADisplay, 192.168.168.42). Nginx serves static files from /var/www/MBTADisplay/public and proxies /api/ requests to a Node/Express caching proxy on port 3000. API keys are stored server-side and never exposed to the browser. Process managed via pm2 with a systemd service.

Architecture#

Browser (Anthias/Desktop)
    → Nginx (:80) → / → static files (/var/www/MBTADisplay/public)
                   → /api/ → Node/Express proxy (:3000)
                                → MBTA v3 API
                                → OpenWeatherMap API
                                → RSS feeds
                                → Caches responses

Nginx Configuration#

server {
    listen 80;
    server_name transit.intra.plgt.com 192.168.168.42;

    root /var/www/MBTADisplay/public;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    location /api/ {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Node/Express Proxy#

Setup#

mkdir -p /opt/mbta-proxy
cd /opt/mbta-proxy
npm init -y
npm install express node-fetch

API Key Management#

  • API keys stored in /opt/mbta-proxy/.env
  • Loaded via process.env.MBTA_API_KEY in server.js
  • pm2 started with --env flag to load .env file
  • Critical: API key must survive server.js overwrites from GitHub syncs

pm2 Process Manager#

pm2 start server.js --name mbta-proxy
pm2 save
pm2 startup systemd

systemd Service (/etc/systemd/system/pm2-administrator.service)#

[Unit]
Description=PM2 process manager
After=network.target

[Service]
Type=forking
User=administrator
ExecStart=/usr/local/bin/pm2 resurrect
ExecReload=/usr/local/bin/pm2 reload all
ExecStop=/usr/local/bin/pm2 kill
Restart=on-failure

[Install]
WantedBy=multi-user.target

GitHub Deployment#

Repository#

  • Repo: https://github.com/bich-nguyen/MBTADisplay.git
  • Cloned to /var/www/MBTADisplay
  • Static files in public/ subdirectory
  • Server files in /opt/mbta-proxy/ (separate from web root)

Ownership#

sudo chown -R administrator:administrator /var/www/MBTADisplay

Note: www-data ownership breaks git operations from administrator user.