Skip to content

security: read token from QUIKDB_TOKEN env var, warn when --token flag used#10

Open
samsonajulor wants to merge 1 commit into
mainfrom
fix/issue-8-token-security
Open

security: read token from QUIKDB_TOKEN env var, warn when --token flag used#10
samsonajulor wants to merge 1 commit into
mainfrom
fix/issue-8-token-security

Conversation

@samsonajulor

Copy link
Copy Markdown
Contributor

Summary

The --token CLI flag exposed API tokens in ps aux output and shell history. This fix:

  • Reads from QUIKDB_TOKEN environment variable first (preferred, safe for CI/CD)
  • Keeps --token flag for convenience but prints a security warning to stderr when used
  • Documents the QUIKDB_TOKEN env var in the help output

Linked Issue

Fixes #8

Testing

  • QUIKDB_TOKEN=mytoken quikdb-frame login — reads env var silently, no warning
  • quikdb-frame login --token mytoken — reads flag, prints warning to stderr
  • quikdb-frame login — falls through to interactive login as before
  • go build ./... passes cleanly

Checklist

  • I have tested this change locally
  • I have linked the relevant GitHub issue above (required for automatic payout)

…g used

Fixes #8

The --token CLI flag exposed API tokens in ps aux output and shell
history. This change reads from QUIKDB_TOKEN env var first (safe for
CI/CD), keeps the --token flag for convenience but prints a security
warning when it is used, and documents the env var in the help output.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security: --token CLI flag exposes token in process list and shell history

1 participant