From 8ece105134dfda99ac77f8769643a081f0327f3c Mon Sep 17 00:00:00 2001
From: danielgruesso <dgruesso@gitlab.com>
Date: Tue, 4 Jun 2019 11:35:58 -0400
Subject: Add note about token storage in plain text

---
 doc/user/clusters/applications.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'doc/user')

diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md
index 3fc79197517..669ed3806ce 100644
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -166,6 +166,13 @@ is automatically provisioned and configured using the authenticated user's:
 JupyterLab's Git extension enables full version control of your notebooks as well as issuance of Git commands within Jupyter.
 Git commands can be issued via the **Git** tab on the left panel or via Jupyter's command line prompt.
 
+NOTE: **Note:**
+JupyterLab's Git extension stores the user token in the JupyterHub DB in encrypted format
+and in the single user Jupyter instance as plain text. This is because [Git requires storing
+credentials as plain text](https://git-scm.com/docs/git-credential-store). Potentially, if
+a nefarious user finds a way to read from the file system in the single user Jupyter instance
+they could retrieve the token.
+
 ![Jupyter's Git Extension](img/jupyter-git-extension.gif)
 
 Clone repositories from the files tab in Jupyter
-- 
cgit v1.2.1