Don't store authentication token in ~/.config

[owenthereal]

Please don't make the same mistake as hub does.
~/.config folder is used by fish, cocoapods and many other tools.

It's a folder intended to store configuration files.
That means people are checking it in with their dotfiles repos.

Use the OS-level keychains, or require an ENV.

[calavera]

It's really something to consider, thanks @mneorr.

I guess storing the credentials in a keychain would be the optimal solution. We can abstract that logic into specific sources by GOARCH, we can have keychain_win.go, keychain_darwin.go and keychain_linux.go.

We're trying to be totally compatible with hub, which might require some kind of transformation from its configuration file to something like this.

[owenthereal]

@calavera I really like the idea of using native mechanism for storing credentials! And it's good use of Go build tag for this purpose 👍.

@mneorr You could specify the path to the config file by using the GH_CONFIG env var. This should solve your problem for now. I'll also document this on the README. I'm also thinking it may be a good idea to use the ~/.gh folder to store any gh related settings. This should have less conflict with any other tools.

[supermarin]

@jingweno i'm sad seeing this being closed, because documenting isn't a solution.
As long as default behavior sets the token in ~/.config, expect many committed tokens and exploits.

[owenthereal]

@mneorr I didn't close it. I merged the branch and github did that...

[owenthereal]

Looks like with the new UI, i can't reopen an issue either...

[owenthereal]

This is all I got...no "reopen" button

[calavera]

it's because you turned the issue into a PR. PRs cannot be reopen.

[calavera]

We should definitely keep this open until we provide something else as a solution.

[owenthereal]

@calavera @mneorr Please move onto #192 for further discussion. Sorry for the inconvenience...

[owenthereal]

There's apparently something we could do to minimize misoperation like this: #193

[mislav]

@mneorr We're accepting suggestions for better places to store the OAuth token in a cross platform way; OS X Keychain is cool but we unfortunately don't have it on Linux or Windows.

Credentials via environment variables is theoretically a good solution but in practice it's a nightmare to configure environment variables consistently for different kinds of execution contexts.

[supermarin]

@mislav you can at least store it in .netrc instead of ~/.config/.

There are projects like GPG that could probably work on other platforms.
Not sure how helpful this is, but seems like there's some support on git level
http://stackoverflow.com/questions/6031214/git-how-to-use-netrc-file-on-windows-to-save-user-and-password

[wilmoore]

Seems like the lowest common denominator is looking to environment variables:

1. Each platform supports them.
2. If a user wants to use a platform native solution like Keychain Access (mac) or Windows Registry, they have the option to export whatever is in those stores to an environment variable using command-line tools.

I don't love the idea that by default the tool writes sensitive information directly into a plain text file, even though the location can be configured.