Skip to main content

lib/mix/tasks/break_glass.gen_hash.ex

defmodule Mix.Tasks.BreakGlass.GenHash do
  use Mix.Task

  @shortdoc "Generate a bcrypt hash for a break-glass password"

  @moduledoc """
  Generates a bcrypt hash for a given plaintext password and prints it to stdout.

  ## Usage

      mix break_glass.gen_hash "my_secret_password"

  The hash printed to stdout can be stored in an environment variable or secrets
  manager and then configured via:

      config :break_glass_ex,
        password_hash: System.fetch_env!("BREAK_GLASS_PASSWORD_HASH")

  ## Security Note

  The plaintext password is **never** logged, persisted, or stored beyond the
  computation of the hash. Do not commit the plaintext password to source control.

  ## Requirements

  13.1, 13.2, 13.3, 13.4
  """

  @impl Mix.Task
  def run([password | _]) do
    hash = Bcrypt.hash_pwd_salt(password)
    IO.puts(hash)
  end

  def run([]) do
    IO.puts(:stderr, """
    Usage: mix break_glass.gen_hash <plaintext_password>

    Example:
      mix break_glass.gen_hash "my_secret_password"

    The bcrypt hash will be printed to stdout.
    """)

    System.halt(1)
  end
end