Mix.Shell.IO, prompt, and security

easco · November 9, 2017, 4:18pm

The Mix.Shell.IO module allows me to prompt the user for some information. I would like to use that functionality in a script I am writing to prompt the user for a password. Unfortunately it displays the user’s entry in cleartext on the screen.

I don’t see any way to entice that function to mask the input at the moment.

Is there another Erlang/Elixir function that might help me accomplish the same effect? For that matter, is there a shell command I could use with Mix.Shell.IO.cmd to collect a masked string and return it?

OvermindDL1 · November 9, 2017, 4:48pm

Don’t know how to turn off echo’ing offhand, but I know the hex.publish takes a password that it immediately deletes as it is typed, maybe take a look at it’s code?

easco · November 9, 2017, 5:02pm

I discovered that there is an undocumented function :io.get_password() that reads input from the shell without echoing it and returns a password. That seems to be what I need (http://erlang.org/pipermail/erlang-questions/2011-November/062798.html)

My code now reads:

    username = Mix.Shell.IO.prompt("username:")
    IO.write("password: ")
    password = :io.get_password()

For others looking to this solution, read the rest of the thread. This was a solution for me in one context, but may not be general purpose solution.

NobbZ · November 10, 2017, 9:45am

Unless you are developing something to integrate with mix, you should not use it. It is usually not included in production builds and will probably fail then.

hassan · November 10, 2017, 2:37pm

Unless you are developing something to integrate with mix, you should not
use it. It is usually not included in production builds

“usually not” based on what? It seems to be in my production builds.

NobbZ · November 10, 2017, 3:34pm

Then you either have mix mentioned in your (extra_)applications-list, or you are running you generated application on a machine that has elixir installed.

hassan · November 10, 2017, 4:06pm

Then you either have mix mentioned in your (extra_)applications-list,

Nope.

are running you generated application on a machine that has elixir
installed.

“Elixir” or Erlang? It’s present on a system without Elixir but with
Erlang installed, but – I thought the whole point of a release was to
use the bundled version.

NobbZ · November 10, 2017, 5:02pm

Just search the forum, there are plenty of threads because mix is not available in production or release. Its always suggested to not rely on mix when not in build time.

So if you have a proper release and access to mix, its probably a bug, so could you please explain how you built and run the release?

hassan · November 10, 2017, 5:28pm

Just search the forum, there are plenty of threads because mix is not
available in production or release. Its always suggested to not rely on mix
when not in build time.

Who is talking about mix?!

The OP mentioned finding an undocumented function :io.get_password()
and you responded with:

“It is usually not included in production builds…”

So maybe in the future be more specific what you mean by “it”?

NobbZ · November 10, 2017, 5:51pm

The OP… The subject… The code example…

Or do you want to say, that Mix.Shell.IO is not part of mix?

Also I said:

All “it”s are clearly refering to mix that I mentioned in the very same paragraph. Nothing there seems to be related to :io-module.

hassan · November 10, 2017, 6:23pm

The OP… The subject… The code example…

You didn’t reply to the first post, but to the one that starts out
mentioning finding the :io.get_password() function.

All “it”s are clearly refering to mix that I mentioned in the very same
paragraph.

They definitely weren’t “clearly” referring to Mix from my reading, or
I wouldn’t have had the question I did.

And if we replace “it” in your statement with “mix”,

Unless you are developing something to integrate with mix, you
should not use mix.

That doesn’t seem meaningful to me

NobbZ · November 10, 2017, 6:31pm

I hit the reply button of the op, but since this is not a threaded view, you can’t tell the difference in many cases. But yes I should have written “you shouldn’t use its functions”.

easco · November 10, 2017, 6:37pm

FWIW, this is not code the is going into production. I’m running a “.exs” script and I want it to make use of the code embodied a mix project so I’ve got my script in the same folder hierarchy as that mix project and I’m using iex -S mix my_script.exs to run things. It kicks off and starts the mix project and all it’s applications, then calls my script.

I wil be running the script in front of an audience, however, and I didn’t want my password to be displayed in Plain Text. So:

This is a development context, not production code
I know I will be running my code through mix (so Mix.Shell.IO is fine to use)
Calling an undocumented function doesn’t bother me for this use case.

For this purpose :io.get_password() does what I need it to do. I gather that it may not be a good general-purpose solution so caveat emptor.