feat: add basic authentication support (#4)

* feat: add basic authentication support

Add --user and --password flags to `esq config add` for environments
that require HTTP basic auth (e.g. Elasticsearch clusters behind
authentication proxies or with X-Pack security enabled).

Credentials are stored in config.json and sent as Authorization headers
on every request. The `config list` output now shows an auth indicator
when credentials are configured.

* fix: address security review feedback

- Config file permissions tightened from 0644 to 0600 (owner-only)
- Existing files get chmod'd on every save to fix legacy permissions
- Add --password-stdin flag for secure password input (interactive
  terminal prompt via x/term, or piped input for scripting)
- --password flag kept for convenience but help text warns about
  shell history exposure

Author: PascalTemel

go.mod

@@ -7,4 +7,6 @@ require github.com/spf13/cobra v1.10.2
 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
 )

go.sum

@@ -8,4 +8,8 @@ github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/cmd/config/config.go

@@ -1,12 +1,16 @@
 package configcmd
 
 import (
+	"bufio"
 	"fmt"
+	"os"
 	"sort"
+	"strings"
 
 	"github.com/enthus-appdev/esq-cli/internal/config"
 	"github.com/enthus-appdev/esq-cli/internal/output"
 	"github.com/spf13/cobra"
+	"golang.org/x/term"
 )
 
 // NewConfigCmd creates the config command group.
@@ -30,13 +34,14 @@ func NewConfigCmd() *cobra.Command {
 }
 
 func newAddCmd() *cobra.Command {
-	var url string
+	var url, user, password string
+	var passwordStdin bool
 
 	cmd := &cobra.Command{
 		Use:   "add <name>",
 		Short: "Add an Elasticsearch environment",
 		Example: `  esq config add prod --url http://es-prod:9200
-  esq config add stage --url http://es-stage:9200
+  esq config add stage --url http://es-stage:9200 --user elastic --password-stdin
   esq config add local --url http://localhost:9200`,
 		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -46,13 +51,42 @@ func newAddCmd() *cobra.Command {
 				return fmt.Errorf("--url is required\n\nExample:\n  esq config add %s --url http://hostname:9200", name)
 			}
 
+			if password != "" && passwordStdin {
+				return fmt.Errorf("--password and --password-stdin are mutually exclusive")
+			}
+
+			// Read password from stdin if requested
+			if passwordStdin {
+				if term.IsTerminal(int(os.Stdin.Fd())) {
+					fmt.Fprint(os.Stderr, "Password: ")
+					raw, err := term.ReadPassword(int(os.Stdin.Fd()))
+					fmt.Fprintln(os.Stderr)
+					if err != nil {
+						return fmt.Errorf("reading password: %w", err)
+					}
+					password = string(raw)
+				} else {
+					scanner := bufio.NewScanner(os.Stdin)
+					if scanner.Scan() {
+						password = strings.TrimRight(scanner.Text(), "\r\n")
+					}
+					if err := scanner.Err(); err != nil {
+						return fmt.Errorf("reading password from stdin: %w", err)
+					}
+				}
+			}
+
 			cfg, err := config.Load()
 			if err != nil {
 				return err
 			}
 
 			_, exists := cfg.Environments[name]
-			cfg.Environments[name] = &config.Environment{URL: url}
+			cfg.Environments[name] = &config.Environment{
+				URL:      url,
+				Username: user,
+				Password: password,
+			}
 
 			// Auto-set as current if it's the first environment
 			if cfg.CurrentEnv == "" {
@@ -69,6 +103,10 @@ func newAddCmd() *cobra.Command {
 				output.Success("Added environment %q (url: %s)", name, url)
 			}
 
+			if user != "" {
+				output.Info("Basic auth: %s", user)
+			}
+
 			if cfg.CurrentEnv == name {
 				output.Info("Active environment: %s", name)
 			}
@@ -78,6 +116,9 @@ func newAddCmd() *cobra.Command {
 	}
 
 	cmd.Flags().StringVar(&url, "url", "", "Elasticsearch base URL (e.g. http://hostname:9200)")
+	cmd.Flags().StringVar(&user, "user", "", "Username for basic authentication")
+	cmd.Flags().StringVar(&password, "password", "", "Password for basic authentication (visible in shell history, prefer --password-stdin)")
+	cmd.Flags().BoolVar(&passwordStdin, "password-stdin", false, "Read password from stdin (prompted interactively if terminal)")
 
 	return cmd
 }
@@ -139,7 +180,11 @@ func newListCmd() *cobra.Command {
 				if name == cfg.CurrentEnv {
 					marker = "* "
 				}
-				fmt.Printf("%s%-10s %s\n", marker, name, env.URL)
+				auth := ""
+				if env.Username != "" {
+					auth = fmt.Sprintf(" (auth: %s)", env.Username)
+				}
+				fmt.Printf("%s%-10s %s%s\n", marker, name, env.URL, auth)
 			}
 
 			return nil

internal/cmd/root.go

@@ -79,7 +79,7 @@ func getClient() (*es.Client, string, error) {
 		return nil, "", fmt.Errorf("environment %q not found (available: %s)", envName, formatEnvList(cfg))
 	}
 
-	return es.NewClient(env.URL), envName, nil
+	return es.NewClient(env.URL, env.Username, env.Password), envName, nil
 }
 
 func formatEnvList(cfg *config.Config) string {

internal/cmd/search/search.go

@@ -105,7 +105,7 @@ func getClient(cmd *cobra.Command) (*es.Client, string, error) {
 		return nil, "", fmt.Errorf("environment %q not found", envName)
 	}
 
-	return es.NewClient(env.URL), envName, nil
+	return es.NewClient(env.URL, env.Username, env.Password), envName, nil
 }
 
 // resolveIndex resolves a partial index name and prints info about ambiguity.

internal/config/config.go

@@ -17,7 +17,9 @@ type Config struct {
 
 // Environment represents a single Elasticsearch cluster.
 type Environment struct {
-	URL string `json:"url"`
+	URL      string `json:"url"`
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
 }
 
 // configPath returns the path to the config file, respecting XDG_CONFIG_HOME.
@@ -66,9 +68,13 @@ func Save(cfg *Config) error {
 	}
 	data = append(data, '\n')
 
-	if err := os.WriteFile(path, data, 0o644); err != nil {
+	if err := os.WriteFile(path, data, 0o600); err != nil {
 		return fmt.Errorf("writing config: %w", err)
 	}
+	// Ensure restrictive permissions even if file already existed with wider perms.
+	if err := os.Chmod(path, 0o600); err != nil {
+		return fmt.Errorf("setting config permissions: %w", err)
+	}
 	return nil
 }
 

internal/es/client.go

@@ -14,13 +14,17 @@ import (
 // Client is an Elasticsearch HTTP client.
 type Client struct {
 	baseURL    string
+	username   string
+	password   string
 	httpClient *http.Client
 }
 
 // NewClient creates a new Elasticsearch client.
-func NewClient(baseURL string) *Client {
+func NewClient(baseURL, username, password string) *Client {
 	return &Client{
-		baseURL: strings.TrimRight(baseURL, "/"),
+		baseURL:  strings.TrimRight(baseURL, "/"),
+		username: username,
+		password: password,
 		httpClient: &http.Client{
 			Timeout: 30 * time.Second,
 		},
@@ -40,6 +44,10 @@ func (c *Client) request(method, path string, body io.Reader) ([]byte, error) {
 		req.Header.Set("Content-Type", "application/json")
 	}
 
+	if c.username != "" {
+		req.SetBasicAuth(c.username, c.password)
+	}
+
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("request failed: %w", err)