easco
Mix.Shell.IO, prompt, and security
The Mix.Shell.IO module allows me to prompt the user for some information. I would like to use that functionality in a script I am writing to prompt the user for a password. Unfortunately it displays the user’s entry in cleartext on the screen.
I don’t see any way to entice that function to mask the input at the moment.
Is there another Erlang/Elixir function that might help me accomplish the same effect? For that matter, is there a shell command I could use with Mix.Shell.IO.cmd to collect a masked string and return it?
Marked As Solved
easco
I discovered that there is an undocumented function :io.get_password() that reads input from the shell without echoing it and returns a password. That seems to be what I need (http://erlang.org/pipermail/erlang-questions/2011-November/062798.html)
My code now reads:
username = Mix.Shell.IO.prompt("username:")
IO.write("password: ")
password = :io.get_password()
For others looking to this solution, read the rest of the thread. This was a solution for me in one context, but may not be general purpose solution.
Also Liked
easco
FWIW, this is not code the is going into production. I’m running a “.exs” script and I want it to make use of the code embodied a mix project so I’ve got my script in the same folder hierarchy as that mix project and I’m using iex -S mix my_script.exs to run things. It kicks off and starts the mix project and all it’s applications, then calls my script.
I wil be running the script in front of an audience, however, and I didn’t want my password to be displayed in Plain Text. So:
- This is a development context, not production code
- I know I will be running my code through
mix(soMix.Shell.IOis fine to use) - Calling an undocumented function doesn’t bother me for this use case.
For this purpose :io.get_password() does what I need it to do. I gather that it may not be a good general-purpose solution so caveat emptor.
NobbZ
Unless you are developing something to integrate with mix, you should not use it. It is usually not included in production builds and will probably fail then.
OvermindDL1
Don’t know how to turn off echo’ing offhand, but I know the hex.publish takes a password that it immediately deletes as it is typed, maybe take a look at it’s code?
hassan
Unless you are developing something to integrate with mix, you should not
use it. It is usually not included in production builds
“usually not” based on what? It seems to be in my production builds.
NobbZ
Then you either have mix mentioned in your (extra_)applications-list, or you are running you generated application on a machine that has elixir installed.







