Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add --sfdx-url-stdin flag #765

Conversation

AllanOricil
Copy link

@AllanOricil AllanOricil commented Jul 28, 2023

What does this PR do?

With these changes developers can pipe the sfdx auth url from stdin as follows:

echo 'force://PlatformCLI::[email protected]' | sfdx org:login:sfdx-url --sfdx-url-stdin

Why? because it is not safe to store force://<clientId>:<clientSecret>:<refreshToken> in disk
inspired by https://docs.docker.com/engine/reference/commandline/login/

I know that this isnt really that useful because nobody is ever going to memorise these long numbers but at least it will discourage people from ever storing this info in files.

What issues does this PR fix or reference?

forcedotcom/cli#2120
@W-13176733@

@AllanOricil AllanOricil force-pushed the feature/read_auth_url_from_mem branch from d6c9d5d to c9723ee Compare July 28, 2023 15:11
@git2gus
Copy link

git2gus bot commented Aug 1, 2023

This issue has been linked to a new work item: W-13860214

Copy link
Contributor

@WillieRuemmele WillieRuemmele left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm looking at that NUT now, but wouldn't be surprirsed if we couldn't hack the execCmd method to get this working correctly, I think the UTs could cover it

src/commands/org/login/sfdx-url.ts Outdated Show resolved Hide resolved
@cristiand391
Copy link
Member

Hey @AllanOricil , I'm taking this over from Willie.
We discussed this PR with the team today and decided this should be handled in oclif rather in a specific command, see this issue:
oclif/core#761

some options discussed:

  1. make command accept url as an arg (args support reading from stdin by default), deprecate --sfdx-url-file flag.
    This is the easiest one but we usually try to avoid args and prefer flags, see style guide:
    https://github.com/salesforcecli/cli/wiki/Design-Guidelines-Flags#arguments

  2. --sfdx-url-stdin (this PR!)
    We were discussing if this should actually be a new kind of flag (Flags.stdin) where:

# reads from file
sf org login sfdx-url --sfdx-url-file auth.json

# no value specified, read from stdin
sf org login sfdx-url --sfdx-url-file

but it would require a bit of work on the parser get it working and would still have limitations (can this support multiple:true, etc).

  1. read flag value from stdin if -:
    See: Allow flags to read its value from stdin oclif/core#761

This is a common pattern in CLIs and should be easy to re-use stdin helpers for args to implement in oclif.

I'm sorry I missed your feature request, usually we try to catch these things while discussing a solution before opening an issue for contribution but I didn't follow up about your question after docs were fixed.

If you are interested in proposal to do this in oclif and want to grab it, let us know and we can assign it to you on GH. If not, we can leave this PR open and make it use allowStdin once we get to it.

Again, thanks for all your work! 🏆

@AllanOricil
Copy link
Author

AllanOricil commented Sep 24, 2023

@cristiand391 what if we merge this now and later, when oclif is changed, we can just rework this to use oclif's native solution?

I was also thinking that this command could be simplified to this

echo 'force://PlatformCLI::[email protected]' | sfdx org:login:sfdx-url

When not passing --sfdx-auth-file the command assumes the auth url is red from stdin.

I can do this change quickly if you agree.

Pros:

  • login without writting to disk
  • less characters to type in the command
  • safer
  • allows piping sfdx auth url from vaults

Cons:
None

The same changes could be applied to other auth commands. People are storing keys in disk instead of fetching from memory only. They are doing it on PUBLIC NON EPHEMERAL job runners (gitlab, github, ...)

@AllanOricil AllanOricil reopened this Sep 24, 2023
@k-capehart k-capehart mentioned this pull request Nov 30, 2023
@AllanOricil
Copy link
Author

AllanOricil commented Dec 4, 2023

@AllanOricil
Copy link
Author

closed in favor of oclif/core#894

@AllanOricil AllanOricil closed this Dec 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants