Don't store authentication credentials in $XDG_CONFIG_HOME

[rpdelaney]

After running exercism configure --token='<token>' I find that my token is stored in $XDG_CONFIG_HOME/exercism/user.json.

This is a security risk because users who do not expect authentication data to be stored here may accidentally back it up insecurely. Configuration fields like apibaseurl and workspace are fine, but prefer storing token somewhere in $XDG_DATA_HOME to conform to the standard.

Reference: https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html

$XDG_CONFIG_HOME defines the base directory relative to which user specific                                                                                                                                          
configuration files should be stored. If $XDG_CONFIG_HOME is either not set or                                                                                                                                       
empty, a default equal to $HOME/.config should be used.

$XDG_DATA_HOME defines the base directory relative to which user specific data                                                                                                                                       
files should be stored. If $XDG_DATA_HOME is either not set or empty, a default                                                                                                                                      
equal to $HOME/.local/share should be used.

[rahul6991]

everyone can copy paste the token to the terminal everytime. It's kind of annoying thing , Imagine a scenario if someone is working on a task in their Local machine and finished a task after a day ,if they lost their token ,and tried to submit the their assignment .they'll get the error as of loss of taken and they again need to go back and copy and paste token in terminal

[kytrinyx]

@rpdelaney Thanks, I was not aware of the distinction; this is useful.

I agree that we should fix this for Mac and Linux. (I don't think Windows follows the XDG specification. If I'm wrong about that, this would be a good time to enlighten me 😁).

@rahul6991 I'm not following. Would you elaborate please?

[rpdelaney]

@kytrinyx I don't know if mingw or cygwin implement the freedesktop standard in Windows, but they might. I haven't had a Windows system in years so I can't comment directly beyond that. Thanks for looking into this.

[Smarticles101]

Upon quick inspection, the correct change to make is:

diff --git a/config/config.go b/config/config.go
index b9b1883..b0c6d85 100644
--- a/config/config.go
+++ b/config/config.go
@@ -63,7 +63,7 @@ func Dir() string {
                if dir != "" {
                        return dir
                }
-               dir = os.Getenv("XDG_CONFIG_HOME")
+               dir = os.Getenv("XDG_DATA_HOME")
                if dir == "" {
                        dir = filepath.Join(os.Getenv("HOME"), ".config")
                }

Would we need to introduce code for backwards-compatibility so people upgrading don't lose where their config file is located?

[kytrinyx]

Would we need to introduce code for backwards-compatibility so people upgrading don't lose where their config file is located?

Yeah, I think we need to.

[anuramat]

any progress on this? I could do a PR

[rpdelaney]

I have been summoned by comment necro.

Replying to @Smarticles101, you may want to look at platformdirs for cross-platform compatibility. For instance, some BSD-derived operating systems have a different preconception of where this stuff should go; and of course there's Windows...

If you don't want an extra dependency, something like this is probably safest:

dir = Path(os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config"))

@kytrinyx Here is an example of how to implement backward compatibility.