I like to store secrets in my password store, so that they’re encrypted at rest.
The exercism CLI currently stores the user’s token in plaintext in the user’s config file.
A simple way to allow retrieving secrets from secure storage is to read the token from an env var if it’s defined, falling back to reading it from local storage only when the env var is undefined. That would allow users to populate their secrets when and how they want, with whatever tools they like.
One idiom I often use is to prepend setting the secret env var to the command, which looks like this:
Another approach I’ve seen is to support configuring a command to retrieve the API token as needed, which allows for one-and-done configuration. That might look something like this:
exercism configure --token-cmd='pass show exercism_api_token'
Populating an env var is conceptually simpler and maybe more flexible, but puts more weight on the user to know how to use it. Users worrying about secure token storage are probably advanced, so the env var seems like the right answer to me.
Regardless of the exact approach, is there interest in adding support for secure API token storage?
(This was originally a GitHub issue, but that got auto-closed by the bot I didn’t know about until I’d filed the issue: Add support for retrieving API token from secure storage (read from env var?) · Issue #1082 · exercism/cli · GitHub)