curl and OAuth tokens on macOS

matthew_buckett
Community Contributor
‎03-19-2019 04:11 AM
3
2444

When poking the Canvas API with curl I would often find myself copy and pasting lots of Authorization headers around to correctly authenticate against Canvas. This is error prone and also leaves your tokens accessible in your .bash_history file. To improve on this I wrote a small script for macOS that stores the tokens in Apple's keychain and then automatically adds the Authorization header to the curl request based on the URL in the command line. While this isn't perfect, it's much better and easier to use. The result is a script I call ccurl. 

Setup

Download a copy of ccurl, make it executable and set the CCURL_HOSTS environmental variable to a space separated list of hosts you wish to use ccurl against. 

$ curl -s -O https://gist.githubusercontent.com/buckett/ed3217fced4b9d129758157b4476aaa6/raw/1fa77f31bdb65b8bf6cb... chmod +x ccurl
$ echo 'export CCURL_HOSTS="canvas.instructure.com canvas.test.instructure.com canvas.beta.instructure.com"' >> ~/.bashrc‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

You may also wish to put ccurl somewhere on your PATH. Then to set a token for a host use (history -c flushes bash history so the token doesn't get save in plain sight):

$ security add-generic-password -a $USER -s canvas.instructure.com -w 7~1K9WJ3xobQp5RX8DUbbSdigxn2WD8yMOfUlCHbH9FIPlyL7E9E5QWSWN4CCVfqAEHC
$ history -c‍‍‍‍‍‍

Use

Then to use it just do a curl command but add the extra c, it passes all command line options through to curl so it should support all examples you see for the standard curl tool (jq is a tool to transform json, but here it just formats it to make it more readable):

$ ccurl -s  https://canvas.instructure.com/api/v1/users/self | jq .
{
  "id": 4539009,
  "name": "Matthew Buckett",
  "created_at": "2015-05-31T19:49:29+01:00",
  "sortable_name": "Buckett, Matthew",
  "short_name": "Matthew Buckett",
  "avatar_url": "https://canvas.instructure.com/images/messages/avatar-50.png",
  "locale": null,
  "effective_locale": "en-GB",
  "permissions": {
    "can_update_name": true,
    "can_update_avatar": true
  }
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Links

https://canvas.instructure.com/doc/api/file.oauth.html#manual-token-generation - How to create a token for your account.

Labels
Tags (3)
3 Comments
James
Community Champion
‎03-19-2019 05:56 AM

Nice contribution,  @matthew_buckett 

I barely know how to use my Mac, but I'm good on Linux and I imagine BASH is similar in both places. If someone wants to do this but doesn't want to clear their BASH history (I have some regular lengthy commands I use that I don't want to have to recreate), you could put the line to add the token to the security ring into a text file and then execute that file. 

vi add_token
# add the security line and save the file
. add_token
rm add_token‍‍‍‍

I personally wouldn't use vi and people should feel free to use their favorite editor instead.

0 Likes
matthew_buckett
Community Contributor
‎03-19-2019 06:01 AM

Thanks James, nice tip, the other way to not have it in your history file is to put a space as the first character in your command but this is easy to miss when copy/pasting command lines out of the web.

0 Likes
jsavage2
Community Contributor
‎03-19-2019 08:37 AM

This is nifty, James, thanks! 

FYI: if your main concern is your bash history, you can also leverage curl's -K option to load per-server configs portably. You'd lose the keychain, though.

0 Likes