How does heroku store its authentication on its command-line app?

Question

I assume that when you first install the heroku gem and you're prompted to put in your username/password, it sends that username/password to its server to validate.

How then does heroku (or any other command-line apps for that matter) store that validated token on the file system securely and then transmit it together when it runs other commands like 'heroku create' for validation?

I'm using heroku as an example here because it is the only one that I could think of which does what I'd like to do at the moment.

Answer 1

Heroku now spells out how they store their auth token for the Heroku CLI in pretty good detail here: https://devcenter.heroku.com/articles/authentication

Relevant excerpts:

API token storage

The Heroku command-line tool stores API tokens in the standard Unix file ~/.netrc. The netrc format is well-established and well-supported by various network tools on unix. With Heroku credentials stored in this file, other tools such as curl can access the Heroku API with little or no extra work.

cd ~
ls .netrc
ls: .netrc: No such file or directory
$ heroku login
Enter your Heroku credentials.
Email: [email protected]
Password:
$ cat .netrc
machine api.heroku.com
  login [email protected]
  password c4cd94da15ea0544802c2cfd5ec4ead324327430
machine code.heroku.com
  login [email protected]
  password c4cd94da15ea0544802c2cfd5ec4ead324327430

Answer 2

Heroku uses your login once to figure out who you are, then sends your public ssh key to their server so when you push to their git repo they know who you are(docs).

Other apps handle things differently. Some create a .<something> file in your home directory that contains an API token.

Answer 3

The heroku gem stores your credentials in ~/.heroku/credentials and the related code is in lib/heroku/auth.rb.