Add security note about passing credentials as args

2021-09-27 00:36:34 +02:00 · 2021-09-27 00:36:34 +02:00 · 3fd26f6e03
parent c346053ebb
commit 3fd26f6e03
1 changed files with 8 additions and 3 deletions
--- a/mmcli.py
+++ b/mmcli.py
@ -451,15 +451,20 @@ Hint: JSON output can be filtered with jq(1).

 	subparsers = argparser.add_subparsers(title="actions", dest="action", required=True)

-	parser_login = subparsers.add_parser("login", help="retrieve an access token")
+	password_argument_warning = f"""
+Security note: Other programs and users can typically read which arguments you give to any program. Therefore it strongly advised to use the environment variable (envvar) method when passing the credentials to the program. In many shells you can do so like this:
+  {ENVVAR_USERNAME}='aiden' {ENVVAR_PASSWORD}='2FifeVg2UGbCETYdaWscf7hmDvUHbp' {prog_name} login
+	""".strip()
+	parser_login = subparsers.add_parser(
+		"login", help="retrieve an access token", epilog=password_argument_warning, formatter_class=argparse.RawTextHelpFormatter)
 	parser_login.add_argument(
 		"login_id",
 		help=f"username or email; envvar: {ENVVAR_USERNAME}",
 		default=os.getenv(ENVVAR_USERNAME))
 	parser_login.add_argument(
-		"--password", help=f"envvar: {ENVVAR_PASSWORD}", default=os.getenv(ENVVAR_PASSWORD))
+		"--password", help=f"see security note below; envvar: {ENVVAR_PASSWORD}", default=os.getenv(ENVVAR_PASSWORD))
 	parser_login.add_argument(
-		"--totp", help=f"envvar: {ENVVAR_TOTP}", default=os.getenv(ENVVAR_TOTP))
+		"--totp", help=f"see security note below; envvar: {ENVVAR_TOTP}", default=os.getenv(ENVVAR_TOTP))

 	# TODO support multiple channels
 	# parser_cat = subparsers.add_parser("cat", help="list messages in channel(s)")