curl while hiding secrets for github api

github_api.sh

#!/bin/bash -eu

# uses 1pass to get token from 1password vault
export GITHUB_API_TOKEN=`1pass "github api token"`

function ghapi() {
  # escape double quotes as we need to insert the passed heredoc into a json string
  # optionally we could build this with jq?
  local json=$(cat | sed 's/"/\\"/g')
  curl -sS -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") -X POST https://api.github.com/graphql -d @- <<EOT
  {
     "query": "$json"
  }
EOT
}

login=$(ghapi <<EOF
query {
  viewer {
    login }}
EOF
)

jq "." <<<$login

sample.sh

# leaks the token on the commandline, process list and possibly history
curl -H "Authorization: token $GITHUB_API_TOKEN" ...

# How about:
curl -K- <<< "header 'Authorization: token $GITHUB_API_TOKEN'"

# or even trickier:
curl -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") 
# (the `<(` executes the command, stores the output in a temporary file-ish thing, and returns a file handle)

# a version with a payload:
curl -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") -X POST -d " \
 { \
   \"query\": \"query { viewer { login }}\" \
 } \
" https://api.github.com/graphql

# or using a heredoc for the json:

curl -K <(cat <<<"header \"Authorization: token $GITHUB_API_TOKEN\"") -X POST https://api.github.com/graphql -d @- << EOF
{
   "query": "query { viewer { login }}" 
}
EOF