Add support for retrieving API token from secure storage (read from env var?) #1082
Comments
|
Hello. Thanks for opening an issue on Exercism. We are currently in a phase of our journey where we have paused community contributions to allow us to take a breather and redesign our community model. You can learn more in this blog post. As such, all issues and PRs in this repository are being automatically closed. That doesn't mean we're not interested in your ideas, or that if you're stuck on something we don't want to help. The best place to discuss things is with our community on the Exercism Community Forum. You can use this link to copy this into a new topic there. Note: If this issue has been pre-approved, please link back to this issue on the forum thread and a maintainer or staff member will reopen it. |
|
@NateEag I don't want to speak before my turn but I do believe that at least a late-time passing of the token (second example) would be something we'd be interested in, as well as reading from ENV. |
|
bumping this up. Need this feature, happy to contribute a fix if there is a go ahead really |
|
@adelowo See this forum thread from last year - I believe there's interest in this. I spent an hour or two trying to make it happen last year, but since I haven't used Go for anything real before, I didn't get to a PR, and I haven't gotten back to it. |
|
@adelowo I'd be happy to see a PR for this. Thanks. It may take a little while to get it reviewed, and we tend to be quite strict with reviews on this repo, but if you're happy to take it on, it'd be a great addition. See this comment as the starting point :) http://forum.exercism.org/t/feature-suggestion-add-support-for-retrieving-api-token-from-secure-storage/3675/4 |
Well noted! Will get to it then. Thanks! |
|
I do not consider environment variables a secure storage… I would totally support using libsecret compatible stores on Linux, and whatever there is on WIndows and Mac for the native password stores. |
I like to store secrets in my password store, so that they're encrypted at rest.
The exercism CLI currently stores the user's token in plaintext in the user's config file.
A simple way to allow retrieving secrets from secure storage is to read the token from an env var if it's defined, falling back to reading it from local storage only when the env var is undefined. That would allow users to populate their secrets when and how they want, with whatever tools they like.
One idiom I often use is to prepend setting the secret env var to the command, which looks like this:
EXERCISM_API_TOKEN="$(pass show exercism_api_token)" exercism download --track javascript --exercise=factory-sensorsAnother approach I've seen is to support configuring a command to retrieve the API token as needed, which allows for one-and-done configuration. That might look something like this:
exercism configure --token-cmd='pass show exercism_api_token'Populating an env var is conceptually simpler and maybe more flexible, but puts more weight on the user to know how to use it. Users worrying about secure token storage are probably advanced, so the env var seems like the right answer to me.
Regardless of the exact approach, is there interest in adding support for secure API token storage?
The text was updated successfully, but these errors were encountered: