Question about --auth

[RuizuKun-Dev]

do I have to specify the --auth for tarmac every time I sync or just the first time? I don't want tarmac to upload images using my main account

It would be nice if we could specify it so we don't have to every time

[jeparlefrancais]

If you are on windows, tarmac will try to get the cookie from the registry (from the account logged into Roblox studio). I agree that taking the cookie from the registry directly can be spooky, since it kind of happens without any warning. Like you said, you may not want to sync using that account.

One solution to this is to make it not look there by default, and add a parameter to make tarmac look for the studio cookie instead. But that means that you would need to specify --auth every time I guess.

I'm hesitant about using a file that contains the cookie though, since there is a risk that people could commit that file by accident if it lives within a repo. I don't have much experience with managing credentials so I don't know what's best... If you have any suggestions I'd take them, or if you know anyone that can help too!

[RuizuKun-Dev]

Currently Rojo has a warning that tells users to make a dummy account in case the cookie is stolen

Alternatively I have been looking into Github / Git secrets but I am not sure how that would help

[RuizuKun-Dev]

@jeparlefrancais what if we can specify an auth file in the toml? This file can be hidden in our system not the repro so it can’t be exposed.

---

if people will commit that file or by accident then it’s really their fault, and they should be using a dummy account for uploading assets, Roblox moderation is stupid and you don’t want any issues for your main account

[jeparlefrancais]

Having a auth file could work if it's not part of the repo, it makes it less risky to commit it yep. I'll get this done as soon as I have some time

[grilme99]

I wonder if another approach could be looking at an environment variable. Using the --auth flag in an automated pipeline isn't the best because it can show up in all sorts of logs. An environment variable would be much easier to use in an Action since you don't have to worry about creating files in the Action or committing it to Git.

[ok-nick]

If tarmac implicitly gets the users cookie, it should give a yes/no confirmation with the account username. Although if you want a separate account, it’d definitely be useful if you are able to store the cookie in a file or environment variable. Additionally, if this is done, it would probably make sense to also have the confirmation.

[passhley]

On MacOS, the --auth token is stored in ~/Library/Preferences/com.roblox.RobloxStudioBrowser.plist