1

I'm using the very good Click framework to build a Python CLI that acts as a "wrapper" around a set of complex REST APIs. I've used the "complex" example in order to have good boilerplate code to build the rest of CLI.

However, since the CLI itself communicates with REST APIs, I need a bit of configuration for each command. Example: user authentication (id, password, etc.), and, if different from the default one, the URL to API server.

I could force the user to put these configuration as parameters for each command, but this would be really annoying when executing many commands (the user has to insert his auth details for every command).

Is there a way to have the user enter his credentials at the first command in order to have his uid/pwd persist for the entire session (like the mysql-cli, for example), and, after executing the commands he needed, "logout" from the CLI?

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Carmine Giangregorio
  • 943
  • 2
  • 14
  • 35

1 Answers1

1

The way this is normally done is to have a configure command that stores these credentials in a file (normally in the user's $HOME folder, if you are on Linux) and changes its permissions so it is only readable by the user.

You can use configparser (or JSON or YAML or whatever you want) to load different sets of credentials based on a profile:

# $HOME/.your-config-name
[default]
auth-mode=password
username=bsmith
password=abc123

[system1]
auth-mode=oauth
auth-token=abc-123
auth-url=http://system.1/authenticate

[system2]
auth-mode=anonymous
auth-url=http://this-is.system2/start

Then you can use a global argument (say --profile) to pick which credentials should be used for a given request:

$ your-cli --profile system1 command --for first-system
Sean Vieira
  • 155,703
  • 32
  • 311
  • 293
  • Isn't this a potentially security issue? Moreover, I need to give the user the possibility to change userid/password for each "session", for example by having a "login" command, that stores the credentials, and then deletes them after a timeout. – Carmine Giangregorio Apr 15 '15 at 08:40
  • @Carmine - yes, that's why most systems that do this (Github, AWS CLI, etc.) store an OAuth token rather than a username / password combination - there are other options, but if it needs to survive between CLI invocations then the credentials have to be persisted somewhere. If you switch to a REPL-like environment you can persist the credentials in memory instead and log the user out / destroy the credentials when the program exists. – Sean Vieira Apr 15 '15 at 11:42
  • My thought was to use a custom shell instead of a single-command CLI; for example, like MySQL-Cli or REDIS-Cli. By doing so, I could store auth tokens and/or uid and password tuple in memory, instead of using files. Are there drawbacks for this solution? Unfortunately I think Click framework isn't suitable for this. – Carmine Giangregorio Apr 15 '15 at 12:03
  • Nope, that should work pretty well. There is [this older question](http://stackoverflow.com/q/28990497/135978) that provides a way of using Click both as a CLI driver and for a REPL. – Sean Vieira Apr 15 '15 at 12:08