From 15f98655434af545418dc0e68722cd51c0900689 Mon Sep 17 00:00:00 2001 From: samsonajulor Date: Wed, 8 Jul 2026 01:14:47 +0100 Subject: [PATCH] security: read token from QUIKDB_TOKEN env var, warn when --token flag used Fixes #8 The --token CLI flag exposed API tokens in ps aux output and shell history. This change reads from QUIKDB_TOKEN env var first (safe for CI/CD), keeps the --token flag for convenience but prints a security warning when it is used, and documents the env var in the help output. Co-Authored-By: Claude Sonnet 4.6 --- cmd/quikdb-frame/main.go | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/cmd/quikdb-frame/main.go b/cmd/quikdb-frame/main.go index ac00a1d..c5bda8e 100644 --- a/cmd/quikdb-frame/main.go +++ b/cmd/quikdb-frame/main.go @@ -74,12 +74,18 @@ func main() { } case "login": - token := "" + // Prefer QUIKDB_TOKEN env var — safe for CI/CD, not visible in ps aux or shell history + token := os.Getenv("QUIKDB_TOKEN") + + // Also accept --token flag for convenience, but warn about exposure risk for i, arg := range os.Args { if arg == "--token" && i+1 < len(os.Args) { token = os.Args[i+1] + fmt.Fprintln(os.Stderr, "Warning: --token flag exposes the token in process list (ps aux) and shell history.") + fmt.Fprintln(os.Stderr, " Use the QUIKDB_TOKEN environment variable instead for better security.") } } + var err error if token != "" { err = deploy.LoginWithToken(token) @@ -154,7 +160,7 @@ Commands: add Add a service (api, ws, worker, web) dev [service] Run services locally with hot reload login Log in to QuikDB Compute - login --token Log in with an API token + login --token Log in with an API token (see warning below) logout Log out deploy [service] Deploy to QuikDB Compute status Show deployment status @@ -166,6 +172,11 @@ Commands: Options for init: --db Database type: postgres, mongo, mysql, sqlite (default: postgres) +Security: + QUIKDB_TOKEN Set this environment variable instead of --token to avoid exposing + the token in process lists (ps aux) and shell history. + Example: QUIKDB_TOKEN= quikdb-frame login + Workflow: quikdb-frame init my-app # create project cd my-app