Feature suggestion: Add support for retrieving API token from secure storage?

I like to store secrets in my password store, so that they’re encrypted at rest.

The exercism CLI currently stores the user’s token in plaintext in the user’s config file.

A simple way to allow retrieving secrets from secure storage is to read the token from an env var if it’s defined, falling back to reading it from local storage only when the env var is undefined. That would allow users to populate their secrets when and how they want, with whatever tools they like.

One idiom I often use is to prepend setting the secret env var to the command, which looks like this:

EXERCISM_API_TOKEN="$(pass show exercism_api_token)" exercism download --track javascript --exercise=factory-sensors

Another approach I’ve seen is to support configuring a command to retrieve the API token as needed, which allows for one-and-done configuration. That might look something like this:

exercism configure --token-cmd='pass show exercism_api_token'

Populating an env var is conceptually simpler and maybe more flexible, but puts more weight on the user to know how to use it. Users worrying about secure token storage are probably advanced, so the env var seems like the right answer to me.

Regardless of the exact approach, is there interest in adding support for secure API token storage?

(This was originally a GitHub issue, but that got auto-closed by the bot I didn’t know about until I’d filed the issue: Add support for retrieving API token from secure storage (read from env var?) · Issue #1082 · exercism/cli · GitHub)

1 Like

As my reply said on GitHub: yeah, I think this is a good idea.

@ErikSchierboom / @ee7-1282 / @iHiD is there a good reason we don’t do this yet? If not, is this something someone from the community (like Nate) could pick up, or is this something that’s perhaps already planned?

Thanks for posting. In principle the ENV var approach seems like a good thing to add. I’m not sure what the status of accepting CLI contributions is right now. I’ll discuss this with @kytrinyx and get back to you :slight_smile:

@NateEag We’ll accept a PR for using EXERCISM_API_TOKEN as an ENV var. I’ve reopened the issue. Would you be able/willing to create a PR for this? Or does it need someone in the community to do it?

It looks like I may have some space this weekend to take a whack at it. I’ve penciled it in on my calendar and will see if I can make it happen.

1 Like

@NateEag Great. Thanks! :)