Read token for scitokens-verify from stdin

djw8605 · djw8605 · commit 45896b9b007f · 2025-06-25T08:43:52.000-05:00
Allow either the command line or argument, for backward capability. But give warning if the token is passed on the command line. Fixes #158
diff --git a/README.md b/README.md
@@ -36,12 +36,11 @@ The easiest way to test `scitokens-cpp` is to head to the [SciTokens Demo app](h
 and copy the generated token.  Then, from the build directory:
 
 ```
-./scitokens-verify  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1yczI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImV4cCI6MTU0NjQ1NjMwOSwiaWF0IjoxNTQ2NDU1NzA5LCJuYmYiOjE1NDY0NTU3MDksImp0aSI6ImRlYmNkZDRjLTU1MzgtNDkxNS1hY2U2LTgyNTg3NGQwZjEzNyJ9.Vu9TRfDi5WJujeAGl-wP-atvNqh31-gteKqqu_IEcxoCfGYdmoIM3xOOY1GmHcmXfclkrl724ldxBBChsDpcdi_8914N9EGwGVApJLQU0SaPPdtcoCrqvVJE3bD9fs6UKooGwuk_e20ml9g0R4100fTdsD7pkIOABYGTbhxioEb1dP1o-17l2t2kUXpd8KhIyZZjmtmnMdmO5bxaY_V60OOWekwelT8ACK8ao39Ocf_wmUiS0VVX21hD1KqO0bgBU9AsVJ5prAL9ytElr_UB2X5KowPODbj6LPFNhpCwXcoG4w4Gw9VueuxCuIPhlcHBhP83i5LPgtk2YOjygdSahA
+echo "<your_token_here>" | ./scitokens-verify
 ```
 
 Replace the given token above with the fresh one you just generated; using the above token should give an expired
-token error.
-
+token error. The token must be provided via standard input (stdin).
 
 Instructions for Generating a Release
 -------------------------------------
diff --git a/src/verify.cpp b/src/verify.cpp
@@ -1,4 +1,3 @@
-
 #include "scitokens.h"
 
 #include <fstream>
@@ -9,7 +8,7 @@ namespace {
 
 const char usage[] =
     "\n"
-    "Syntax: %s [--cred cred_file] TOKEN\n"
+    "Syntax: %s [--cred cred_file] < TOKEN\n"
     "\n"
     " Options\n"
     "    -h | --help                  Display usage\n"
@@ -18,7 +17,8 @@ const char usage[] =
     "    -K | --keyid          <kid>  Name of the token key.\n"
     "    -p | --profile    <profile>  Profile to enforce (wlcg, scitokens1, "
     "scitokens2, atjwt).\n"
-    "\n";
+    "\n"
+    "    The token to verify must be provided via standard input (stdin).\n";
 
 const struct option long_options[] = {{"help", no_argument, NULL, 'h'},
                                       {"cred", required_argument, NULL, 'c'},
@@ -87,18 +87,24 @@ int init_arguments(int argc, char *const argv[]) {
 } // namespace
 
 int main(int argc, char *const *argv) {
-    if (argc < 2) {
-        fprintf(stderr,
-                "%s: Insufficient arguments; must at least provide a token.\n",
-                argv[0]);
-        fprintf(stderr, usage, argv[0]);
-        return 1;
-    }
+
     if (init_arguments(argc, argv)) {
         return 1;
     }
 
-    std::string token(argv[argc - 1]);
+    std::string token;
+    // If a positional argument is present, treat it as the token (with warning)
+    if (optind < argc) {
+        fprintf(stderr, "%s: Warning: Providing the token on the command line is insecure. Please use stdin instead.\n", argv[0]);
+        token = argv[optind];
+    } else {
+        // Read token from stdin
+        std::getline(std::cin, token);
+    }
+    if (token.empty()) {
+        fprintf(stderr, "%s: No token provided on stdin or command line.\n", argv[0]);
+        return 1;
+    }
 
     if (!g_issuer.empty()) {
         char *err_msg;
