How to setup OSF token

[jcohenadad]

Currently, I have to manually enter OSF username/password to be able to push on OSF.

I'd like to be able to use OSF token.

Can someone please document how to do this?

[kousu]

The code doesn't support tokens. I happen to know it could, from when I was helping out https://github.com/datalad/datalad-osf, but we'd have to patch it:

distriploy/distriploy/osf.py

Lines 13 to 28 in 8eafe10

	def upload_to_osf(osf_project_id, osf_username, osf_password, asset_path, osf_folder, osf_location=None):
	"""
	Uploads new version of the data to the Open Science Framework.
	:return: osf download url of the newly uploaded asset.
	"""
	upload_path = "/" + osf_folder
	if osf_location is not None:
	upload_path += "/" + osf_location
	else:
	upload_path += "/" + os.path.basename(asset_path)
	osf = osfclient.OSF()
	osf.login(username=osf_username, password=osf_password)

Is your problem that it's "manual"? Meaning when you say "manually" it prompts? I don't see that anywhere in the code. Are you running it from pycharm and having to fill in the variables in some GUI each time?

You can pass the credentials in like this

OSF_USERNAME=jcohen OSF_PASSWORD=abc123 distriploy .....

which makes them available to distriploy and no other app -- except that it gets stored in your ~/.bash_history, so you need to remember to clear that, or wrap it like this to disable the history:

set +o history; OSF_USERNAME=jcohen OSF_PASSWORD=abc123 distriploy .....; set -o history

Another direction (and this is sort of the 'conventional' solution) puts them in your ~/.bash_profile:

export OSF_USERNAME=jcohen
export OSF_PASSWORD=abc123

this makes them available to any app running in your session or any app that can read files in your folder, so the cybersecurity of that isn't great. But I think this is what we did with AWS for spine-generic.

A third solution, one I use but am still getting the hang of, is to keep my passwords in a password manager -- pass. Because it's scriptable I can have it prompt me to decrypt them when I use them:

OSF_USERNAME="$(pass neuropoly/osf | awk -F ':' '/username/ { print $2 }' | head -n 1) OSF_PASSWORD=$(pass neuropoly/osf | head -n 1) distriploy .....

For you, you can use the security command on macOS. I don't have direct experience with it but this guide is pretty solid: https://www.aria.ai/blog/posts/storing-secrets-with-keychain.html. You could write something like (warning: untested!)

OSF_USERNAME="$(security find-generic-password -s osf_username) OSF_PASSWORD=$(security find-generic-password -s osf_password) distriploy .....

Also, maybe you're already using a password manager? If you're using LastPass then use https://github.com/lastpass/lastpass-cli in place.

---

I think we can patch distriploy to support OSF_TOKEN as an alternate login method; I think it's a reasonable security-convenience tradeoff to put a token into your ~/.bash_profile; yes, then any app on your computer can wreck stuff in your OSF account, but it won't be able to take it over, and you can stop it quickly just by revoking the token. That's the same level of security as keeping a password-less ssh key around, which is probably what you're using for github anyway?

[kousu]

In summary:

1. If it's easy, put your creds in a password manager and script around it. Write yourself a distriploy-with-creds.sh that calls your password manager ((the details depend on what password manager you're using)):
   • https://www.passwordstore.org/
   • https://github.com/lastpass/lastpass-cli
   • https://github.com/jaraco/keyring
   • security
   • etc
2. Otherwise, accept that you're going to be somewhat hackable and just put your creds in your ~/.bashrc; then reboot (or at least re-login).

In the meantime, I'll patch the token auth in so that you can put tokens in ~/.bashrc which will limit the damage that can be done by those creds.

[jcohenadad]

Is your problem that it's "manual"? Meaning when you say "manually" it prompts? I don't see that anywhere in the code. Are you running it from pycharm and having to fill in the variables in some GUI each time?

yup! it is documented here under the osf section.
i have to remember to copy/paste these lines, and enter it each time. Ideally i'd like to find a quicker solution.

i'd like to avoid putting the OSF password in my .bashrc

i like the pass/security approaches, but it is specific to my config, so we cannot document it in the README as the "universal" approach. My problem is that: everytime i want to use distriploy, i forget how to use it, so i quickly read the doc and re-enter those password manually.

I think we can patch distriploy to support OSF_TOKEN as an alternate login method; I think it's a reasonable security-convenience tradeoff to put a token into your ~/.bash_profile; yes, then any app on your computer can wreck stuff in your OSF account, but it won't be able to take it over, and you can stop it quickly just by revoking the token. That's the same level of security as keeping a password-less ssh key around, which is probably what you're using for github anyway?

yes, that's what i'm using. And yes, an OSF_TOKEN would be convenient, although:

• i realize this will require some efforts, and the cost/benefit might not be great because
  • we will eventually drop OSF (if we move all our stuff to github only)-- in fact, i could stop uploading to OSF right away 😊
  • we don't use distriploy that often (which is the reason i always forget how to use it...)

thank you for the thorough response!!!

[kousu]

Even with token support you'd still have to.

I don't read the README as giving a universal approach, it's just giving some suggestions. It also suggests "Or add it to an environment file not under revision control" -- which would be your .bashrc or a similar script that you source -- a password manager is an encrypted version of an environment file. The real API is environment variables, and it's up to, which is about as elegant as you can get.

Is the

OSF_USERNAME=jcohen OSF_PASSWORD=abc123 distriploy .....

form not good enough? It's a shorthand form of the read ... ; export ; ... the README recommends. But the README's version has the big advantages that there's no risk of leaking the password in your bash history, and you can reuse distriploy multiple times per session. Maybe you're unclear that you only need to do read ...; export ; ... once per session?

There isn't really a way to make this any faster without writing your password down in a file, which it sounds like you don't want to do for good reason. If you want your passwords to represent you then you need to type them in each time.

Maybe what you could do is put

export OSF_USERNAME=jcohen

in your ~/.bashrc and then you only need to read OSF_PASSWORD; distriploy each time?

We could also make this more user friendly by making distriploy prompt if the password is missing.

[jcohenadad]

Maybe what you could do is put
export OSF_USERNAME=jcohen
in your ~/.bashrc and then you only need to read OSF_PASSWORD; distriploy each time?

👌