Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add support for retrieving API token from secure storage (read from env var?) #1082

Open
NateEag opened this issue Feb 10, 2023 · 7 comments

Comments

@NateEag
Copy link
Contributor

NateEag commented Feb 10, 2023

I like to store secrets in my password store, so that they're encrypted at rest.

The exercism CLI currently stores the user's token in plaintext in the user's config file.

A simple way to allow retrieving secrets from secure storage is to read the token from an env var if it's defined, falling back to reading it from local storage only when the env var is undefined. That would allow users to populate their secrets when and how they want, with whatever tools they like.

One idiom I often use is to prepend setting the secret env var to the command, which looks like this:

EXERCISM_API_TOKEN="$(pass show exercism_api_token)" exercism download --track javascript --exercise=factory-sensors

Another approach I've seen is to support configuring a command to retrieve the API token as needed, which allows for one-and-done configuration. That might look something like this:

exercism configure --token-cmd='pass show exercism_api_token'

Populating an env var is conceptually simpler and maybe more flexible, but puts more weight on the user to know how to use it. Users worrying about secure token storage are probably advanced, so the env var seems like the right answer to me.

Regardless of the exact approach, is there interest in adding support for secure API token storage?

@github-actions
Copy link

Hello. Thanks for opening an issue on Exercism. We are currently in a phase of our journey where we have paused community contributions to allow us to take a breather and redesign our community model. You can learn more in this blog post. As such, all issues and PRs in this repository are being automatically closed.

That doesn't mean we're not interested in your ideas, or that if you're stuck on something we don't want to help. The best place to discuss things is with our community on the Exercism Community Forum. You can use this link to copy this into a new topic there.


Note: If this issue has been pre-approved, please link back to this issue on the forum thread and a maintainer or staff member will reopen it.

@SleeplessByte
Copy link
Member

@NateEag I don't want to speak before my turn but I do believe that at least a late-time passing of the token (second example) would be something we'd be interested in, as well as reading from ENV.

@iHiD iHiD reopened this Feb 13, 2023
@adelowo
Copy link

adelowo commented Jun 8, 2024

bumping this up. Need this feature, happy to contribute a fix if there is a go ahead really

cc @iHiD @SleeplessByte

@NateEag
Copy link
Contributor Author

NateEag commented Jun 11, 2024

@adelowo See this forum thread from last year - I believe there's interest in this.

I spent an hour or two trying to make it happen last year, but since I haven't used Go for anything real before, I didn't get to a PR, and I haven't gotten back to it.

@iHiD
Copy link
Member

iHiD commented Jun 12, 2024

@adelowo I'd be happy to see a PR for this. Thanks. It may take a little while to get it reviewed, and we tend to be quite strict with reviews on this repo, but if you're happy to take it on, it'd be a great addition. See this comment as the starting point :) http://forum.exercism.org/t/feature-suggestion-add-support-for-retrieving-api-token-from-secure-storage/3675/4

@adelowo
Copy link

adelowo commented Jun 15, 2024

@adelowo I'd be happy to see a PR for this. Thanks. It may take a little while to get it reviewed, and we tend to be quite strict with reviews on this repo, but if you're happy to take it on, it'd be a great addition. See this comment as the starting point :) http://forum.exercism.org/t/feature-suggestion-add-support-for-retrieving-api-token-from-secure-storage/3675/4

Well noted! Will get to it then. Thanks!

@NobbZ
Copy link
Member

NobbZ commented Jun 20, 2024

I do not consider environment variables a secure storage…

I would totally support using libsecret compatible stores on Linux, and whatever there is on WIndows and Mac for the native password stores.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants