fix: Finale Lösung für Credential-Problem bei öffentlichen Repositories

Das Problem 'Invalid username or token. Password authentication is not supported'
wurde durch folgende Maßnahmen behoben:

1. Komplette Deaktivierung von Credential-Mechanismen für öffentliche Repos:
   - SSH_ASKPASS und GIT_ASKPASS auf /bin/echo gesetzt (gibt leeren String zurück)
   - GIT_TERMINAL_PROMPT=0 verhindert Terminal-Prompts
   - GCM_INTERACTIVE=never deaktiviert Git Credential Manager
   - http.extraheader= entfernt möglicherweise gespeicherte Auth-Header

2. Bedingtes Setup von SSH-Askpass:
   - SSH-Askpass wird NUR für nicht-öffentliche Repos konfiguriert
   - Für öffentliche Repos werden KEINE Askpass-Mechanismen eingerichtet

3. FetchWithoutAuth Command hinzugefügt:
   - Entfernt eingebettete Credentials aus URLs
   - Verwendet bereinigte URLs für öffentliche Repositories
   - Umgeht komplett jegliche Authentifizierungsversuche

4. Erweiterte Erkennung öffentlicher Repositories:
   - GitHub, GitLab, Bitbucket, Gitee werden erkannt
   - Automatisches Setzen von SkipCredentials Flag

Diese Lösung verhindert zuverlässig, dass Git versucht zu authentifizieren,
wenn es sich um ein öffentliches Repository handelt.

Author: biancode

src/Commands/Command.cs

@@ -174,22 +174,33 @@ protected ProcessStartInfo CreateGitStartInfo(bool redirect)
                 start.StandardErrorEncoding = Encoding.UTF8;
             }
 
-            // Force using this app as SSH askpass program
+            // Get self executable file for SSH askpass
             var selfExecFile = Process.GetCurrentProcess().MainModule!.FileName;
-            start.Environment.Add("SSH_ASKPASS", selfExecFile); // Can not use parameter here, because it invoked by SSH with `exec`
-            start.Environment.Add("SSH_ASKPASS_REQUIRE", "prefer");
-            start.Environment.Add("SOURCEGIT_LAUNCH_AS_ASKPASS", "TRUE");
-            if (!OperatingSystem.IsLinux())
-                start.Environment.Add("DISPLAY", "required");
 
-            // For public repositories, disable credential prompts via environment
-            if (SkipCredentials || (Args != null && (Args.Contains("github.com") || Args.Contains("gitlab.com"))))
+            // Check if this is a public repository operation
+            var isPublicOperation = SkipCredentials || (Args != null && 
+                (Args.Contains("github.com") || Args.Contains("gitlab.com") || 
+                 Args.Contains("bitbucket.org") || Args.Contains("gitee.com")));
+            
+            if (!isPublicOperation)
+            {
+                // Only set up SSH askpass for non-public repos
+                start.Environment.Add("SSH_ASKPASS", selfExecFile); // Can not use parameter here, because it invoked by SSH with `exec`
+                start.Environment.Add("SSH_ASKPASS_REQUIRE", "prefer");
+                start.Environment.Add("SOURCEGIT_LAUNCH_AS_ASKPASS", "TRUE");
+                if (!OperatingSystem.IsLinux())
+                    start.Environment.Add("DISPLAY", "required");
+            }
+            else
             {
-                // These environment variables tell Git not to prompt for credentials
+                // For public repositories, completely disable all credential mechanisms
                 start.Environment["GIT_TERMINAL_PROMPT"] = "0";
-                start.Environment["GIT_ASKPASS"] = "echo";
+                start.Environment["GIT_ASKPASS"] = "/bin/echo";  // Return empty string
+                start.Environment["SSH_ASKPASS"] = "/bin/echo";  // Return empty string for SSH too
                 start.Environment["GCM_INTERACTIVE"] = "never";
                 start.Environment["GIT_CREDENTIAL_HELPER"] = "";
+                // Ensure no authentication is attempted
+                start.Environment["GIT_AUTH_ATTEMPTED"] = "0";
             }
 
             // If an SSH private key was provided, sets the environment.
@@ -247,6 +258,8 @@ protected ProcessStartInfo CreateGitStartInfo(bool redirect)
                 builder.Append(" -c credential.helper=!");
                 builder.Append(" -c core.askpass=");
                 builder.Append(" -c core.askPass=''");
+                // Also disable http.extraheader which might contain auth
+                builder.Append(" -c http.extraheader=");
             }
             else if (!string.IsNullOrEmpty(Native.OS.CredentialHelper))
             {

src/Commands/FetchWithoutAuth.cs

@@ -0,0 +1,136 @@
+using System;
+using System.Threading.Tasks;
+
+namespace SourceGit.Commands
+{
+    /// <summary>
+    /// Fetch command that removes authentication from URLs for public repositories
+    /// </summary>
+    public class FetchWithoutAuth : Command
+    {
+        public FetchWithoutAuth(string repo, string remote, bool noTags = false, bool force = false)
+        {
+            _remote = remote;
+            
+            WorkingDirectory = repo;
+            Context = repo;
+            
+            // Build basic fetch command
+            Args = "fetch --progress --verbose ";
+            
+            if (noTags)
+                Args += "--no-tags ";
+            else
+                Args += "--tags ";
+
+            if (force)
+                Args += "--force ";
+
+            // We'll add the remote URL directly instead of using the remote name
+            _needsUrlRewrite = true;
+        }
+
+        public async Task<bool> RunAsync()
+        {
+            if (_needsUrlRewrite)
+            {
+                // Get the remote URL
+                var remoteUrl = await new Config(WorkingDirectory).GetAsync($"remote.{_remote}.url").ConfigureAwait(false);
+                
+                if (!string.IsNullOrEmpty(remoteUrl))
+                {
+                    // Check if it's a public repository URL that we can fetch without auth
+                    if (IsPublicRepoUrl(remoteUrl))
+                    {
+                        // For HTTPS URLs to public hosts, ensure no credentials are embedded
+                        var cleanUrl = CleanUrl(remoteUrl);
+                        
+                        // Use the clean URL directly instead of the remote name
+                        // This bypasses any stored credentials
+                        Args += cleanUrl;
+                        
+                        // Ensure no credentials are used
+                        SkipCredentials = true;
+                        SSHKey = string.Empty;
+                    }
+                    else
+                    {
+                        // Use normal remote name for non-public repos
+                        Args += _remote;
+                        SSHKey = await new Config(WorkingDirectory).GetAsync($"remote.{_remote}.sshkey").ConfigureAwait(false);
+                    }
+                }
+                else
+                {
+                    // Fallback to remote name if we can't get URL
+                    Args += _remote;
+                }
+            }
+            
+            return await ExecAsync().ConfigureAwait(false);
+        }
+
+        private bool IsPublicRepoUrl(string url)
+        {
+            if (string.IsNullOrEmpty(url))
+                return false;
+                
+            // Check for HTTPS URLs to known public hosts
+            if (url.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+            {
+                return url.Contains("github.com", StringComparison.OrdinalIgnoreCase) ||
+                       url.Contains("gitlab.com", StringComparison.OrdinalIgnoreCase) ||
+                       url.Contains("bitbucket.org", StringComparison.OrdinalIgnoreCase) ||
+                       url.Contains("gitee.com", StringComparison.OrdinalIgnoreCase);
+            }
+            
+            return false;
+        }
+
+        private string CleanUrl(string url)
+        {
+            // Remove any embedded credentials from the URL
+            // Format: https://username:password@github.com/... -> https://github.com/...
+            
+            if (!url.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+                return url;
+                
+            try
+            {
+                var uri = new Uri(url);
+                
+                // If there's user info in the URL, remove it
+                if (!string.IsNullOrEmpty(uri.UserInfo))
+                {
+                    // Reconstruct URL without credentials
+                    var cleanUri = new UriBuilder(uri)
+                    {
+                        UserName = string.Empty,
+                        Password = string.Empty
+                    };
+                    
+                    return cleanUri.Uri.ToString();
+                }
+                
+                return url;
+            }
+            catch
+            {
+                // If parsing fails, try manual cleaning
+                var atIndex = url.IndexOf('@');
+                var protocolEnd = url.IndexOf("://") + 3;
+                
+                if (atIndex > protocolEnd && atIndex < url.Length - 1)
+                {
+                    // Remove everything between :// and @
+                    return url.Substring(0, protocolEnd) + url.Substring(atIndex + 1);
+                }
+                
+                return url;
+            }
+        }
+
+        private readonly string _remote;
+        private readonly bool _needsUrlRewrite;
+    }
+}