feat(clip,show)!: req magic string in TOML entries

dbohdan · dbohdan · commit e123837a811d · 2025-09-14T06:27:50.000Z
Do not show full TOML documents by default.
This makes it more difficult to reveal an OTP URI by accident.

v0.18.0
diff --git a/README.md b/README.md
@@ -247,17 +247,35 @@ pago can store and retrieve structured data in the [TOML](https://toml.io/) form
 This is useful for storing multiple related values in a single entry, such as API keys, usernames, and URLs.
 
 To create a TOML entry, use `pago add --multiline` and provide TOML content on standard input.
+The content must start with the string `# TOML`.
 
 ```shell
 pago add -m services/my-api <<EOF
+# TOML
 user = "jdoe"
-key = "abc-123"
+password = "abcdef"
+token = "tok-123"
 url = "https://api.example.com"
 numbers = [1, 1, 2, 3, 5]
 EOF
 ```
 
-You can then retrieve individual values from the TOML entry using the `-k`/`--key` option with the commands `show`, `clip`, and `pick`, or with the `key` command.
+When you `show` or `clip` a TOML entry without specifying a key, pago will use a default key.
+The default key is `password`.
+You can specify a different default key by adding a key `default` to the TOML entry.
+
+```shell
+pago add -m services/my-api-custom-default <<EOF
+# TOML
+default = "api-key"
+api-key = "xyz-456"
+EOF
+
+pago show services/my-api-custom-default
+# => xyz-456
+```
+
+You can retrieve other values from the TOML entry using the `-k`/`--key` option with the commands `show`, `clip`, and `pick`, or with the `key` command.
 
 ```shell
 # Show the user from the TOML entry.
@@ -280,15 +298,15 @@ When an entry is parsed as TOML, pago can retrieve scalar values (strings, numbe
 Arrays and scalars other than strings are encoded as TOML for output.
 pago cannot retrieve tables.
 
-If you show or clip a TOML entry without `--key`, the entire TOML document is returned.
-
 ### TOTP
 
 pago can generate [time-based one-time passwords (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) from a [TOML entry](#toml-entries).
 To use this feature, store the `otpauth://` URI in a key named `otp`.
+The entry must start with `# TOML`.
 
 ```shell
 pago add -m services/my-service <<EOF
+# TOML
 user = "jdoe"
 otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"
 EOF
diff --git a/cmd/pago/main.go b/cmd/pago/main.go
@@ -360,7 +360,12 @@ func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock
 		return "", err
 	}
 
-	if key == "" {
+	isToml := strings.HasPrefix(content, "# TOML")
+	if !isToml {
+		if key != "" {
+			return "", fmt.Errorf("entry %q is not a TOML entry; cannot use --key", name)
+		}
+
 		return content, nil
 	}
 
@@ -369,6 +374,18 @@ func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock
 		return "", fmt.Errorf("failed to parse entry as TOML: %w", err)
 	}
 
+	if key == "" {
+		key = "password"
+
+		if defaultKey, ok := data["default"]; ok {
+			if defaultKeyStr, ok := defaultKey.(string); ok {
+				key = defaultKeyStr
+			} else {
+				return "", fmt.Errorf(`key "default" must have string value`)
+			}
+		}
+	}
+
 	value, ok := data[key]
 	if !ok {
 		return "", fmt.Errorf("key %q not found in entry %q", key, name)
diff --git a/config.go b/config.go
@@ -22,7 +22,7 @@ const (
 	ExitMemlockError = 3
 	FilePerms        = 0o600
 	NameInvalidChars = `[\n]`
-	Version          = "0.17.0"
+	Version          = "0.18.0"
 	WaitForSocket    = 3 * time.Second
 
 	DefaultAgent           = "pago-agent"
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -704,9 +704,10 @@ func TestShowKey(t *testing.T) {
 
 	_, err := withPagoDir(func(dataDir string) (string, error) {
 		// Add a TOML entry.
-		cmd := exec.Command(commandPago, "--dir", dataDir, "add", "toml-test", "--multiline")
-		cmd.Stdin = strings.NewReader(`
+		cmd := exec.Command(commandPago, "--dir", dataDir, "add", "toml", "--multiline")
+		cmd.Stdin = strings.NewReader(`# TOML
 # Comment.
+password = "hunter2"
 foo = "string"
 bar = 5
 
@@ -723,17 +724,43 @@ qux = {"key" = "value"}
 			return stdout.String() + "\n" + stderr.String(), err
 		}
 
+		// Add a TOML entry with a custom default key.
+		cmd = exec.Command(commandPago, "--dir", dataDir, "add", "toml-default", "--multiline")
+		cmd.Stdin = strings.NewReader(`# TOML
+default = "foo"
+foo = "secret"
+`)
+		cmd.Stdout = &stdout
+		cmd.Stderr = &stderr
+		err = cmd.Run()
+		if err != nil {
+			return stdout.String() + "\n" + stderr.String(), err
+		}
+
+		// Add a non-TOML entry.
+		_, _, err = runCommandEnv(
+			[]string{"PAGO_DIR=" + dataDir},
+			"add", "not-toml", "--random",
+		)
+		if err != nil {
+			return "", err
+		}
+
 		testCases := []struct {
+			entry    string
 			key      string
 			expected string
 			wantErr  bool
 		}{
-			{"foo", "string", false},
-			{"bar", "5", false},
-			{"phi", "1.68", false},
-			{"baz", "[1, 2, 3, true, false]", false},
-			{"quux", "", true},
-			{"nonexistent", "", true},
+			{"toml", "", "hunter2", false},
+			{"toml", "foo", "string", false},
+			{"toml", "bar", "5", false},
+			{"toml", "phi", "1.68", false},
+			{"toml", "baz", "[1, 2, 3, true, false]", false},
+			{"toml", "quux", "", true},
+			{"toml", "nonexistent", "", true},
+			{"toml-default", "", "secret", false},
+			{"not-toml", "foo", "", true},
 		}
 
 		for _, tc := range testCases {
@@ -746,27 +773,32 @@ qux = {"key" = "value"}
 
 			buf.Reset()
 
-			cmd := exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", "--key", tc.key, "toml-test")
+			var cmd *exec.Cmd
+			if tc.key == "" {
+				cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", tc.entry)
+			} else {
+				cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", "--key", tc.key, tc.entry)
+			}
 			cmd.Stdin = c.Tty()
 			cmd.Stdout = &buf
 			cmd.Stderr = c.Tty()
 
 			err = cmd.Start()
 			if err != nil {
-				return "", fmt.Errorf("failed to start command for key %q: %w", tc.key, err)
+				return "", fmt.Errorf("failed to start command for entry %q key %q: %w", tc.entry, tc.key, err)
 			}
 
 			_, _ = c.ExpectString("Enter password")
 			_, _ = c.SendLine(password)
 
 			err = cmd.Wait()
 			if (err != nil) != tc.wantErr {
-				return "", fmt.Errorf("command failed for key %q: %w", tc.key, err)
+				return "", fmt.Errorf("command failed for entry %q key %q: %w", tc.entry, tc.key, err)
 			}
 
 			output := strings.TrimSpace(buf.String())
-			if output != tc.expected {
-				return "", fmt.Errorf("for key %q, expected %q, got %q", tc.key, tc.expected, output)
+			if !tc.wantErr && output != tc.expected {
+				return "", fmt.Errorf("for entry %q key %q, expected %q, got %q", tc.entry, tc.key, tc.expected, output)
 			}
 		}
 
@@ -782,8 +814,9 @@ func TestKeyCmd(t *testing.T) {
 
 	_, err := withPagoDir(func(dataDir string) (string, error) {
 		// Add a TOML entry.
-		cmd := exec.Command(commandPago, "--dir", dataDir, "add", "toml-test", "--multiline")
-		cmd.Stdin = strings.NewReader(`foo = "string"`)
+		cmd := exec.Command(commandPago, "--dir", dataDir, "add", "toml", "--multiline")
+		cmd.Stdin = strings.NewReader(`# TOML
+foo = "string"`)
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
@@ -801,7 +834,7 @@ func TestKeyCmd(t *testing.T) {
 
 		buf.Reset()
 
-		cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "key", "toml-test", "foo")
+		cmd = exec.Command(commandPago, "--dir", dataDir, "--socket", "", "key", "toml", "foo")
 		cmd.Stdin = c.Tty()
 		cmd.Stdout = &buf
 		cmd.Stderr = c.Tty()
@@ -837,7 +870,8 @@ func TestShowOTP(t *testing.T) {
 		// Add a TOML entry with a 6-digit otpauth URI.
 		cmd := exec.Command(commandPago, "--dir", dataDir, "add", "otp-test-6digit", "--multiline")
 		// Example URI from https://github.com/google/google-authenticator/wiki/Key-Uri-Format
-		cmd.Stdin = strings.NewReader(`otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"`)
+		cmd.Stdin = strings.NewReader(`# TOML
+otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"`)
 		var stdout, stderr bytes.Buffer
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
@@ -848,7 +882,8 @@ func TestShowOTP(t *testing.T) {
 
 		// Add another TOML entry with an 8-digit otpauth URI.
 		cmd = exec.Command(commandPago, "--dir", dataDir, "add", "otp-test-8digit", "--multiline")
-		cmd.Stdin = strings.NewReader(`otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=sha256&digits=8"`)
+		cmd.Stdin = strings.NewReader(`# TOML
+otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=sha256&digits=8"`)
 		cmd.Stdout = &stdout
 		cmd.Stderr = &stderr
 		err = cmd.Run()
