Merge pull request #159 from djw8605/verify-stdin

djw8605 · web-flow · commit 89257bb42fca · 2025-06-25T10:56:16.000-05:00
Read token for scitokens-verify from stdin
diff --git a/README.md b/README.md
@@ -36,12 +36,11 @@ The easiest way to test `scitokens-cpp` is to head to the [SciTokens Demo app](h
 and copy the generated token.  Then, from the build directory:
 
 ```
-./scitokens-verify  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1yczI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImV4cCI6MTU0NjQ1NjMwOSwiaWF0IjoxNTQ2NDU1NzA5LCJuYmYiOjE1NDY0NTU3MDksImp0aSI6ImRlYmNkZDRjLTU1MzgtNDkxNS1hY2U2LTgyNTg3NGQwZjEzNyJ9.Vu9TRfDi5WJujeAGl-wP-atvNqh31-gteKqqu_IEcxoCfGYdmoIM3xOOY1GmHcmXfclkrl724ldxBBChsDpcdi_8914N9EGwGVApJLQU0SaPPdtcoCrqvVJE3bD9fs6UKooGwuk_e20ml9g0R4100fTdsD7pkIOABYGTbhxioEb1dP1o-17l2t2kUXpd8KhIyZZjmtmnMdmO5bxaY_V60OOWekwelT8ACK8ao39Ocf_wmUiS0VVX21hD1KqO0bgBU9AsVJ5prAL9ytElr_UB2X5KowPODbj6LPFNhpCwXcoG4w4Gw9VueuxCuIPhlcHBhP83i5LPgtk2YOjygdSahA
+echo "<your_token_here>" | ./scitokens-verify
 ```
 
 Replace the given token above with the fresh one you just generated; using the above token should give an expired
-token error.
-
+token error. The token must be provided via standard input (stdin).
 
 Instructions for Generating a Release
 -------------------------------------
diff --git a/src/verify.cpp b/src/verify.cpp
@@ -1,15 +1,15 @@
-
 #include "scitokens.h"
 
 #include <fstream>
 #include <getopt.h>
 #include <iostream>
+#include <string>
 
 namespace {
 
 const char usage[] =
     "\n"
-    "Syntax: %s [--cred cred_file] TOKEN\n"
+    "Syntax: %s [--cred cred_file] < TOKEN\n"
     "\n"
     " Options\n"
     "    -h | --help                  Display usage\n"
@@ -18,7 +18,8 @@ const char usage[] =
     "    -K | --keyid          <kid>  Name of the token key.\n"
     "    -p | --profile    <profile>  Profile to enforce (wlcg, scitokens1, "
     "scitokens2, atjwt).\n"
-    "\n";
+    "\n"
+    "    The token to verify must be provided via standard input (stdin).\n";
 
 const struct option long_options[] = {{"help", no_argument, NULL, 'h'},
                                       {"cred", required_argument, NULL, 'c'},
@@ -65,12 +66,6 @@ int init_arguments(int argc, char *const argv[]) {
         exit(1);
     }
 
-    if (optind == argc) {
-        fprintf(stderr, "%s: Must provide a token as a requirement\n", argv[0]);
-        fprintf(stderr, usage, argv[0]);
-        exit(1);
-    }
-
     if ((!g_cred.empty() || !g_issuer.empty() || !g_keyid.empty()) &&
         (g_cred.empty() || g_issuer.empty() || g_keyid.empty())) {
         fprintf(stderr,
@@ -87,19 +82,29 @@ int init_arguments(int argc, char *const argv[]) {
 } // namespace
 
 int main(int argc, char *const *argv) {
-    if (argc < 2) {
+
+    if (init_arguments(argc, argv)) {
+        return 1;
+    }
+
+    std::string token;
+    // If a positional argument is present, treat it as the token (with warning)
+    if (optind < argc) {
         fprintf(stderr,
-                "%s: Insufficient arguments; must at least provide a token.\n",
+                "%s: Warning: Providing the token on the command line is "
+                "insecure. Please use stdin instead.\n",
                 argv[0]);
-        fprintf(stderr, usage, argv[0]);
-        return 1;
+        token = argv[optind];
+    } else {
+        // Read token from stdin
+        std::getline(std::cin, token);
     }
-    if (init_arguments(argc, argv)) {
+    if (token.empty()) {
+        fprintf(stderr, "%s: No token provided on stdin or command line.\n", argv[0]);
+        fprintf(stderr, usage, argv[0]);
         return 1;
     }
 
-    std::string token(argv[argc - 1]);
-
     if (!g_issuer.empty()) {
         char *err_msg;
 
