command to retreive token

[pigam]

closes #67

Instead of storing a token in plain text, a config entry can now reference a shell command prefixed with !. The command is executed at runtime and its stdout is used as the token, enabling integration with password managers such as rbw or pass.

forge auth login gains a Ctrl+E shortcut at the token prompt to enter a command interactively.

forge auth status displays the command.

[hramrach]

It would be nice to have an option to specify hostname or URL in the key command, and use the same command for all forges.

Some password databases come organized like that.

[pigam]

It would be nice to have an option to specify hostname or URL in the key command, and use the same command for all forges.

Some password databases come organized like that.

Can you give an example of what you want ?

For the moment :
token = value or token = !command. You want to add interpolation of other variables in the command, or is it something else ?
An example of what you image would be great !

[hramrach]

eg. in here

https://github.com/openSUSE/kernel-source/blob/b572de5eb963a125f55515c346881fd1e05caaf6/scripts/python/obsapi/obsapi.py#L121

You can see subprocess.check_output(['secret-tool', 'lookup', 'service', host, 'username', self.user])

That is same command used for every forge, and looked up by the 'service' tag. The 'host' argument is the host name of the forge.

This is a database that is arbitrarily created like this by another tool, the secret-tool is generic tagged storage that does not itself interpret the tags in any way.

[hramrach]

Your solution still makes it possible (hopefully) to manually configure for each forge something like

token = !secret-tool lookup service github.com type token

or somesuch but does not provide the option to configure such command globally replacing the 'github.com' with the hostname of the forge.

[pigam]

the command has now the environment FORGE_DOMAIN set to the domain, thanks @hramrach for the idea !

so your example can be written as:

token = !secret-tool lookup service $FORGE_DOMAIN type token

[andrew]

Thanks for picking up #67. The ! prefix matches what people know from git's credential.helper, and the allowTokens=false guard correctly stops a checked-in .forge from running arbitrary commands, which is the obvious trap here. Good that there's an explicit test for it.

The main thing blocking this is the execution model: token commands run eagerly at config parse time, for every domain, on every invocation. See inline comments. Making resolution lazy (store the raw value, exec only when that domain's token is actually needed) fixes most of the issues at once.

Small thing: "retreive" → "retrieve" in the PR title.

[andrew]

This runs at parse time, and config.Load() is called from rootCmd.PersistentPreRun (internal/cli/root.go:30) to read the default output format. So every forge invocation, including forge --help and forge auth login, executes the token command for every configured domain, not just the one being used.

With pass (GPG pinentry) or rbw (vault unlock) that means being challenged for unrelated domains on every command.

It also means a single failing command (vault locked, binary missing, typo) makes loadFile return an error, which propagates through resolve.go:196/276/290 and breaks every forge operation regardless of which host you're targeting.

I'd store the raw !cmd here and resolve lazily, e.g. a (*DomainSection).ResolveToken() called from resolve.TokenForDomain only when that domain is actually in use.

[andrew]

Two things here:

1. sh -c assumes sh is in PATH. CI passes on windows-latest because GitHub runners ship Git Bash, but a stock Windows install won't have it. The codebase already branches on runtime.GOOS == "windows" elsewhere; either fall back to cmd /C or document this as Unix-only.

2. c.Output() captures stderr into *exec.ExitError.Stderr but the %w wrapping below doesn't surface it, so the user just sees "rbw get foo": exit status 1 with no detail. Worth extracting and including in the error. Also consider wiring c.Stdin = os.Stdin / c.Stderr = os.Stderr so password managers that prompt on the terminal (pinentry-tty, rbw unlock) can actually do so.

[andrew]

This reimplements password input byte-by-byte to support the Ctrl+E peek, but it's a regression from term.ReadPassword: arrow keys send \x1b[D etc., the 0x1b is filtered (< 0x20) but [ and D are appended to the token. term.ReadPassword also handled Ctrl+U / Ctrl+W.

A --token-cmd 'rbw get x' flag would be simpler, scriptable, and avoid the raw-mode code entirely. The Ctrl+E shortcut can stay as sugar if you like, but I'd lead with the flag in the README.

[andrew]

Nit: error from ReadString is discarded.

[andrew]

TokenExec stores the raw value including the leading !, so this prints config (cmd: !echo secret). The ! is config syntax, not part of the command; either strip it for display or store v[1:] in TokenExec.