Secure the user secret prompt

countzero · countzero · commit 9d592758124e · 2018-09-24T10:26:40.000+02:00
diff --git a/backup_github_repositories.ps1 b/backup_github_repositories.ps1
@@ -29,18 +29,26 @@ Overrides the default backup directory.
 .\backup_github_repositories.ps1 -backupDirectory "C:\myBackupDirectory"
 #>
 
-[CmdletBinding()]
+[CmdletBinding(
+    DefaultParameterSetName = 'SecureSecret'
+)]
 Param (
 
     [Parameter(
-        Mandatory=$true,
+        Mandatory=$True,
         HelpMessage="The name of a GitHub user that has access to the GitHub API."
     )]
-    [string]$userName,
+    [string]$username,
 
     [Parameter(
-        Mandatory=$true,
-        HelpMessage="The password or personal access token of the GitHub user."
+        Mandatory=$True,
+        HelpMessage="The password or personal access token of the GitHub user.",
+        ParameterSetName = 'SecureSecret'
+    )]
+    [Security.SecureString]${user password or personal access token},
+    [Parameter(
+        Mandatory = $True,
+        ParameterSetName = 'PlainTextSecret'
     )]
     [string]$userSecret,
 
@@ -49,6 +57,18 @@ Param (
     [string]$backupDirectory
 )
 
+# Consolidate the user secret, either from the argument or the prompt, in a secure string format.
+if ($userSecret) {
+    $secureStringUserSecret = $userSecret | ConvertTo-SecureString -AsPlainText -Force
+} else {
+    $secureStringUserSecret = ${user password or personal access token}
+}
+
+# Convert the secure user secret string into a plain text representation.
+$plainTextUserSecret = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
+    [Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureStringUserSecret)
+)
+
 # Default the backup directory to './YYYY-MM-DD'. This can
 # not be done in the Param section because $PSScriptRoot
 # will not be resolved if this script gets invoked from cmd.
@@ -107,7 +127,7 @@ if($organisationName) {
 #
 # @see https://developer.github.com/v3/auth/#basic-authentication
 #
-$basicAuthenticationCredentials = "${userName}:${userSecret}"
+$basicAuthenticationCredentials = "${username}:${plainTextUserSecret}"
 $encodedBasicAuthenticationCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($basicAuthenticationCredentials))
 $requestHeaders = @{
     Authorization = "Basic $encodedBasicAuthenticationCredentials"
