switch from client_secret to client_secret_file

internal/config/config.go

@@ -4,17 +4,21 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/adrg/xdg"
 	toml "github.com/pelletier/go-toml/v2"
 )
 
 type Config struct {
-	Issuer       string `toml:"issuer"`
-	ClientID     string `toml:"client_id"`
-	ClientSecret string `toml:"client_secret,omitempty"`
-	CacheHost    string `toml:"cache_host"`
-	NetrcPath    string `toml:"netrc_path"`
+	Issuer           string `toml:"issuer"`
+	ClientID         string `toml:"client_id"`
+	ClientSecretFile string `toml:"client_secret_file,omitempty"`
+	CacheHost        string `toml:"cache_host"`
+	NetrcPath        string `toml:"netrc_path"`
+
+	// ClientSecret is populated at load time by reading ClientSecretFile.
+	ClientSecret string `toml:"-"`
 }
 
 // Load reads the config from the given path, or from the default XDG location.
@@ -34,6 +38,15 @@ func Load(path string) (*Config, error) {
 	}
 
 	cfg.NetrcPath = os.ExpandEnv(cfg.NetrcPath)
+	cfg.ClientSecretFile = os.ExpandEnv(cfg.ClientSecretFile)
+
+	if cfg.ClientSecretFile != "" {
+		secret, err := os.ReadFile(cfg.ClientSecretFile)
+		if err != nil {
+			return nil, fmt.Errorf("reading client_secret_file: %w", err)
+		}
+		cfg.ClientSecret = strings.TrimSpace(string(secret))
+	}
 
 	if err := cfg.validate(); err != nil {
 		return nil, err