Reliable password prompts

[starbelly]

Currently in hex and rebar3 we have a hack (identical) when prompting for passwords. The hack in a nut shell is gathering characters as they are typed and clearing the prompt every 1ms. While this may not be huge security concern, it is at least bad UX and avoiding the source of the problem.

Some time was spent a while back trying to suss out what has to be done to get echo-less password prompts. I believe if I recall correctly the solution seemed to be modifying the win32 ttysl driver in Erlang/OTP to make use of SetConsoleMode.

Of course without experimenting, it's not clear whether this is the right or best solution.

Update:
This is now a multi-platform issue. We started experiencing a problem on *nix whereby io:setopts({echo, false}) will never return ok unless you are in a full blown shell. Trying to open a tty_sl port works but then causes problems for other callers trying to get input later on. An example would be rebar3_hex cut command. If we prompt for a password on the front via opening a port, it succeeds, but if we then prompt for anything else after that io:getline hangs. It is unclear what the ultimate issue is. Reference erlef/rebar3_hex#130

[starbelly]

@ferd @tsloughter Do you have any thoughts on this matter?

[ferd]

The current way is a stopgap for sure, but this feels like the kind of thing that should have a fix at the OTP level more than just in random libs. Clearly there's a need for that at a broader level than just in build tools.

[tsloughter]

Right, no lib can fully resolve the issue, currently rebar3_hex has moved to the method of a process that clears the line every millisecond, which is the way it was always doing it on win32, but is the only way that works completely on any platform it turns out.

So I suggested to @starbelly we open up a ticket on jira.

[starbelly]

A ticket has been opened : https://bugs.erlang.org/browse/ERL-1069

[josevalim]

Btw, if #11 is implemented, we may get rid of the password flow altogether in favor of a web based auth.

[starbelly]

@josevalim I took a quick stab one night at doing this, but ran into problems around intercepting input, it may be this is too much work for not a lot of reward. Curious how web based auth would work?

[wojtekmach]

We'd obviously have to flesh out how exactly the web flow would work but we'd basically mimic how Heroku CLI, gcloud CLI and others are doing it. In a nutshell we'd open web browser from your terminal where you'd log in (or you were already logged in) and from there we'd get the token.

[starbelly]

@wojtekmach That makes sense to me. It also obviates the need for protecting the input since I assume it would be an OTP with a short ttl on it. You could even tie it to the device the request originated from 😍. Going to close this in favor of implementing #11 and then discussing this idea further at our next meeting.