fix(login): Deprecate CLI token

This came up in #13623 to avoid putting tokens into shell history.

Author: epage

src/bin/cargo/commands/login.rs

@@ -6,7 +6,12 @@ use crate::command_prelude::*;
 pub fn cli() -> Command {
     subcommand("login")
         .about("Log in to a registry.")
-        .arg(Arg::new("token").value_name("TOKEN").action(ArgAction::Set))
+        .arg(
+            Arg::new("token")
+                .value_name("TOKEN")
+                .action(ArgAction::Set)
+                .hide(true),
+        )
         .arg_registry("Registry to use")
         .arg(
             Arg::new("args")
@@ -27,16 +32,18 @@ pub fn exec(gctx: &mut GlobalContext, args: &ArgMatches) -> CliResult {
         "must not be index URL"
     );
 
+    let token = args.get_one::<String>("token").map(|s| s.as_str().into());
+    if token.is_some() {
+        let _ = gctx
+            .shell()
+            .warn("`cargo login <token>` is deprecated in favor of reading `<token>` from stdin");
+    }
+
     let extra_args = args
         .get_many::<String>("args")
         .unwrap_or_default()
         .map(String::as_str)
         .collect::<Vec<_>>();
-    ops::registry_login(
-        gctx,
-        args.get_one::<String>("token").map(|s| s.as_str().into()),
-        reg.as_ref(),
-        &extra_args,
-    )?;
+    ops::registry_login(gctx, token, reg.as_ref(), &extra_args)?;
     Ok(())
 }

src/doc/man/cargo-login.md

@@ -6,7 +6,7 @@ cargo-login --- Log in to a registry
 
 ## SYNOPSIS
 
-`cargo login` [_options_] [_token_] [`--` _args_]
+`cargo login` [_options_] [`--` _args_]
 
 ## DESCRIPTION
 
@@ -24,7 +24,7 @@ If a registry has a credential-provider specified, it will be used. Otherwise,
 the providers from the config value `registry.global-credential-providers` will
 be attempted, starting from the end of the list.
 
-If the _token_ argument is not specified, it will be read from stdin.
+The _token_ will be read from stdin.
 
 The API token for crates.io may be retrieved from <https://crates.io/me>.
 

src/doc/man/generated_txt/cargo-login.txt

@@ -4,7 +4,7 @@ NAME
        cargo-login — Log in to a registry
 
 SYNOPSIS
-       cargo login [options] [token] [-- args]
+       cargo login [options] [-- args]
 
 DESCRIPTION
        This command will run a credential provider to save a token so that
@@ -23,7 +23,7 @@ DESCRIPTION
        registry.global-credential-providers will be attempted, starting from
        the end of the list.
 
-       If the token argument is not specified, it will be read from stdin.
+       The token will be read from stdin.
 
        The API token for crates.io may be retrieved from
        <https://crates.io/me>.

src/doc/src/commands/cargo-login.md

@@ -6,7 +6,7 @@ cargo-login --- Log in to a registry
 
 ## SYNOPSIS
 
-`cargo login` [_options_] [_token_] [`--` _args_]
+`cargo login` [_options_] [`--` _args_]
 
 ## DESCRIPTION
 
@@ -24,7 +24,7 @@ If a registry has a credential-provider specified, it will be used. Otherwise,
 the providers from the config value `registry.global-credential-providers` will
 be attempted, starting from the end of the list.
 
-If the _token_ argument is not specified, it will be read from stdin.
+The _token_ will be read from stdin.
 
 The API token for crates.io may be retrieved from <https://crates.io/me>.
 

src/etc/man/cargo-login.1

@@ -6,7 +6,7 @@
 .SH "NAME"
 cargo\-login \[em] Log in to a registry
 .SH "SYNOPSIS"
-\fBcargo login\fR [\fIoptions\fR] [\fItoken\fR] [\fB\-\-\fR \fIargs\fR]
+\fBcargo login\fR [\fIoptions\fR] [\fB\-\-\fR \fIargs\fR]
 .SH "DESCRIPTION"
 This command will run a credential provider to save a token so that commands
 that require authentication, such as \fBcargo\-publish\fR(1), will be
@@ -22,7 +22,7 @@ If a registry has a credential\-provider specified, it will be used. Otherwise,
 the providers from the config value \fBregistry.global\-credential\-providers\fR will
 be attempted, starting from the end of the list.
 .sp
-If the \fItoken\fR argument is not specified, it will be read from stdin.
+The \fItoken\fR will be read from stdin.
 .sp
 The API token for crates.io may be retrieved from <https://crates.io/me>\&.
 .sp

tests/testsuite/alt_registry.rs

@@ -814,7 +814,8 @@ fn no_api() {
 "#]])
         .run();
 
-    p.cargo("login --registry alternative TOKEN")
+    p.cargo("login --registry alternative")
+        .with_stdin("TOKEN")
         .with_status(101)
         .with_stderr_data(str![[r#"
 [ERROR] registry `alternative` does not support API commands

tests/testsuite/cargo_login/help/stdout.term.svg

@@ -95,7 +95,8 @@ fn basic_unsupported() {
         .credential_provider(&["cargo:token-from-stdout", "false"])
         .build();
 
-    cargo_process("login abcdefg")
+    cargo_process("login")
+        .with_stdin("abcdefg")
         .replace_crates_io(registry.index_url())
         .with_status(101)
         .with_stderr_data(str![[r#"
@@ -132,7 +133,8 @@ fn login() {
         ])
         .build();
 
-    cargo_process("login abcdefg -- cmd3 --cmd4")
+    cargo_process("login -- cmd3 --cmd4")
+        .with_stdin("abcdefg")
         .replace_crates_io(registry.index_url())
         .with_stderr_data(str![[r#"
 [UPDATING] crates.io index
@@ -383,7 +385,8 @@ fn multiple_providers() {
     )
     .unwrap();
 
-    cargo_process("login -v abcdefg")
+    cargo_process("login -v")
+    .with_stdin("abcdefg")
         .replace_crates_io(server.index_url())
         .with_stderr_data(str![[r#"
 [UPDATING] crates.io index
@@ -429,7 +432,8 @@ fn registry_provider_overrides_global() {
     )
     .unwrap();
 
-    cargo_process("login -v abcdefg")
+    cargo_process("login -v")
+        .with_stdin("abcdefg")
         .env("CARGO_REGISTRY_CREDENTIAL_PROVIDER", "cargo:token")
         .replace_crates_io(server.index_url())
         .with_stderr_data(str![[r#"
@@ -460,7 +464,7 @@ fn both_asymmetric_and_token() {
     )
     .unwrap();
 
-    cargo_process("login -Zasymmetric-token -v abcdefg")
+    cargo_process("login -Zasymmetric-token -v").with_stdin("abcdefg")
         .masquerade_as_nightly_cargo(&["asymmetric-token"])
         .replace_crates_io(server.index_url())
         .with_stderr_data(str![[r#"
@@ -675,7 +679,8 @@ fn unsupported_version() {
         .credential_provider(&[&provider])
         .build();
 
-    cargo_process("login abcdefg")
+    cargo_process("login")
+        .with_stdin("abcdefg")
         .replace_crates_io(registry.index_url())
         .with_status(101)
         .with_stderr_data(str![[r#"
@@ -707,7 +712,8 @@ fn alias_builtin_warning() {
     )
     .unwrap();
 
-    cargo_process("login abcdefg")
+    cargo_process("login")
+        .with_stdin("abcdefg")
         .replace_crates_io(registry.index_url())
         .with_stderr_data(str![[r#"
 [UPDATING] crates.io index

tests/testsuite/credential_process.rs

@@ -81,7 +81,10 @@ fn registry_credentials() {
 
     let reg = "alternative";
 
-    cargo_process("login --registry").arg(reg).arg(TOKEN).run();
+    cargo_process("login --registry")
+        .arg(reg)
+        .with_stdin(TOKEN)
+        .run();
 
     // Ensure that we have not updated the default token
     check_token(Some(ORIGINAL_TOKEN), None);
@@ -92,7 +95,7 @@ fn registry_credentials() {
     let reg2 = "alternative2";
     cargo_process("login --registry")
         .arg(reg2)
-        .arg(TOKEN2)
+        .with_stdin(TOKEN2)
         .run();
 
     // Ensure not overwriting 1st alternate registry token with
@@ -118,6 +121,20 @@ fn empty_login_token() {
 please paste the token found on [ROOTURL]/api/me below
 [ERROR] credential provider `cargo:token` failed action `login`
 
+Caused by:
+  please provide a non-empty token
+
+"#]])
+        .with_status(101)
+        .run();
+
+    cargo_process("login")
+        .replace_crates_io(registry.index_url())
+        .with_stdin("")
+        .with_stderr_data(str![[r#"
+please paste the token found on [ROOTURL]/api/me below
+[ERROR] credential provider `cargo:token` failed action `login`
+
 Caused by:
   please provide a non-empty token
 
@@ -128,7 +145,9 @@ Caused by:
     cargo_process("login")
         .replace_crates_io(registry.index_url())
         .arg("")
+        .with_stdin("")
         .with_stderr_data(str![[r#"
+[WARNING] `cargo login <token>` is deprecated in favor of reading `<token>` from stdin
 [ERROR] credential provider `cargo:token` failed action `login`
 
 Caused by:
@@ -356,7 +375,7 @@ fn default_registry_configured() {
     .unwrap();
 
     cargo_process("login")
-        .arg("a-new-token")
+        .with_stdin("a-new-token")
         .with_stderr_data(str![[r#"
 [UPDATING] `alternative` index
 [LOGIN] token for `alternative` saved