Add getPassword proc to terminal module #7254
Conversation
Adds a `getPassword` proc to terminal, which allows to read passwords from stdin, i.e. without showing any characters. Characters are entered as hidden text, which is removed upon finished user input. Handles backspace as well as unicode characters in passwords.
Changes the return type of getPassword from string to TaintedString to conform with taint mode.
Wraps the unsetControlCHook proc in compile time checks for noSignalHandler and useNimRtl to fix compilation with -d:useNimRtl (otherwise complains about missing implementation of the proc)
|
Applied a few fixes for the failed tests. I changed the return value of Also wraps the |
| stdout.showCursor() | ||
| stdout.resetAttributes() | ||
| stdout.write("\n") | ||
| if stackTraceAvailable() == true: |
There was a problem hiding this comment.
Is there a function that does this already which could be called? Presumably there is already a hook somewhere which does this.
P.S. == true is redundant.
There was a problem hiding this comment.
As far as I can tell there's no proc to do that. resetAttributes is the closest, but it only affects the text style and leaves the cursor as it is. One could of course define a resetTerminal proc, which combines the two.
The newline I insert should not be part of that proc though, since I only need it due to moving the cursor one line up to get back down.
Regarding the if statement. Oh, good point, thanks. I'll change that.
|
I've since given the way I handle the input some more thought. Depending on how paranoid one is, using readLine is probably not the greatest idea. It's all fine, as long as the user finishes the input or sends a SIGINT, but in the unlikely case someone sends some other signal like SIGSTP or SIGTERM (or simply never presses return), the text will still be written in the terminal, albeit invisible. A malicious actor could probably use that easily enough to steal the password, especially because the average user of a program making use of this proc will not be aware of the fact that the text is only invisible. I'll look into replacing the readLine with readBuffer to read one character at a time to mitigate that. Plus, as a bonus, one might be able to include an option for an "asterisk styled" password input that way. |
|
Perhaps it would make sense to look into using the native operating system functions for reading passwords? |
|
@dom96 There aren't any. The other implementations all use hacks like these afaict. |
|
To be fair, I haven't spend too much time researching it, but what Araq says seems to be the case. https://www.gnu.org/software/libc/manual/html_node/getpass.html |
|
@Araq @Vindaar There are implementations in POSIX (and I heard somebody mention a WinAPI function too, possibly in IRC can't remember) https://stackoverflow.com/a/6869218/492186 |
|
Use the first answer from here https://stackoverflow.com/questions/1413445/reading-a-password-from-stdcin |
|
Thanks @Araq, will do! |
|
Why not use the POSIX implementation on POSIX systems? |
|
IMO you should use |
|
I was about to say mainly because you stumble upon things like (http://man7.org/linux/man-pages/man3/getpass.3.html):
But awkward as it is, while looking through Nim's source, I realized that there is indeed already a read password proc in the stdlib. So you were right after all @dom96. It's simply in impure/rdstdin.nim: So close this PR? rstdin seems to suffer from visibility issues, haha. |
|
Is listed in https://nim-lang.org/docs/theindex.html Closing. |
Adds a
getPasswordproc to the terminal module, which allows to read passwords from stdin, i.e. read input without showing any characters. Characters are entered as hidden text, which is removed once user input is finished.It handles backspaces as well as Unicode characters in the input.
I hope I didn't break too many conventions in this. :-)