Make forge auth handling argv-safe with no token export footguns #55
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Current
forgeauthentication handling is unacceptable: token values are passed tocurlin argv.This is not limited to
forge token verify --token. The currenttoken_verifyimplementation loads the token and then callscurl -H "Authorization: token $verify_token", so even plainforge token verifywith the configured token leaks the token to the childcurlprocess argv while the request is running. The shared API helper uses the samecurl -H "Authorization: token $TOKEN"pattern, so the fix must harden auth header handling acrossforge, not just one subcommand.Project policy: no token exposure footguns in
forge.Do not add any command or flag that prints, echoes, displays, exports, or otherwise intentionally reveals a live token. In particular, do not add equivalents of
gh auth tokenorgh auth status --show-token. If a future workflow needs to hand credentials to another tool, implement a narrow credential-helper style integration for that workflow instead of a generic token-dump command.Desired design:
curl --config -, a private file descriptor, or an equivalent mechanism that keeps the Authorization header out of process arguments.forge token verifyto verify only a token supplied on stdin. No implicit configured-token mode, no--token <value>, and no--token-file <path>.forge auth statusverifies the configured/default credential source without exposing token material in argv or output.FORGEJO_TOKENorFORGE_TOKEN_FILE) internally, but route their API calls through the same argv-safe request helper.forge auth, whileforge token verifyis documented as stdin-only candidate-token verification.curl -Hargv.tests/forge/token.shto expect--tokenand--token-filerejection, and add stdin verification coverage.tests/forge/auth.shcoverage for configured-token status checks.auth token,--show-token,--token, or--token-filepath.Expected rotation usage:
Expected configured-auth usage:
This matters for the token rotation plan because verification commands must not put live token material in shell history, process argv, terminal scrollback, temporary files, generic token-export commands, or avoidable secret-path arguments.
Remove forge token verify --tokento Use stdin for forge token verificationUse stdin for forge token verificationto Make forge auth handling argv-safeMake forge auth handling argv-safeto Make forge auth handling argv-safe with no token export footgunsgh auth tokenjust straight up prints the auth token. this decision was apparently made to optimize for ecosystem adoption over secure scripting practices. 🤦hopefully it goes without saying that this is B-A-N-A-N-A-S
those corpo vampires would ship a fucking guillotine if it lead to marginally higher profits. fuck those assholes. there will be no footguns in my project so help me god