Token stored in plain text when using "profile update"

[wjandrea]

When I created a new API token and updated it in bb, I noticed that the token got stored in plain text in the config file without specifying --no-vault.

Example:

$ bb profile create --name TEST --user foo --password bar

$ yq '.profiles[] | select(.name == "TEST") .password' ~/.config/bitbucket/config-cli.yml
null

$ bb profile update TEST --user foo --password baz

$ yq '.profiles[] | select(.name == "TEST") .password' ~/.config/bitbucket/config-cli.yml
"bar"

[gildas]

Ok, so what is actually happening, is when you update the profile's password, the old password is stored in plain text in the config file.

[wjandrea]

Oh, you're right, I didn't notice that! Thanks for looking at this issue.

[gildas]

Hmm... it's worse than I thought... When you create a new profile or update an existing profile, its password/secret is saved in the vault, but all other passwords are saved in plain text in the config file....

I need to think a bit harder about that fix...

[gildas]

Ok, the fix is in the dev branch.

Are you able to run the code from there to test it out?

I have also added a new flag to profile update to allow users to switch from in-config password/secret to the OS Vault. (Check the documentation to see if it's clear enough, pretty please)