allow --prompt-sec to be used with pipes

go.mod

@@ -59,6 +59,7 @@ require (
 	github.com/magefile/mage v1.14.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-tty v0.0.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect

go.sum

@@ -171,6 +171,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-tty v0.0.7 h1:KJ486B6qI8+wBO7kQxYgmmEFDaFEE96JMBQ7h400N8Q=
+github.com/mattn/go-tty v0.0.7/go.mod h1:f2i5ZOvXBU/tCABmLmOfzLz9azMo5wdAaElRNnJKr+k=
 github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

helpers_key.go

@@ -14,6 +14,7 @@ import (
 	"fiatjaf.com/nostr/nip49"
 	"github.com/chzyer/readline"
 	"github.com/fatih/color"
+	"github.com/mattn/go-tty"
 	"github.com/urfave/cli/v3"
 )
 
@@ -90,9 +91,6 @@ func gatherSecretKeyOrBunkerFromArguments(ctx context.Context, c *cli.Command) (
 	}
 
 	if c.Bool("prompt-sec") {
-		if isPiped() {
-			return nostr.SecretKey{}, nil, fmt.Errorf("can't prompt for a secret key when processing data from a pipe, try again without --prompt-sec")
-		}
 		var err error
 		sec, err = askPassword("type your secret key as ncryptsec, nsec or hex: ", nil)
 		if err != nil {
@@ -141,29 +139,58 @@ func promptDecrypt(ncryptsec string) (nostr.SecretKey, error) {
 }
 
 func askPassword(msg string, shouldAskAgain func(answer string) bool) (string, error) {
-	config := &readline.Config{
-		Stdout:                 color.Error,
-		Prompt:                 color.YellowString(msg),
-		InterruptPrompt:        "^C",
-		DisableAutoSaveHistory: true,
-		EnableMask:             true,
-		MaskRune:               '*',
-	}
+	if isPiped() {
+		// use TTY method when stdin is piped
+		tty, err := tty.Open()
+		if err != nil {
+			return "", fmt.Errorf("can't prompt for a secret key when processing data from a pipe on this system (failed to open /dev/tty: %w), try again without --prompt-sec or provide the key via --sec or NOSTR_SECRET_KEY environment variable", err)
+		}
+		defer tty.Close()
+		for {
+			// print the prompt to stderr so it's visible to the user
+			fmt.Fprintf(os.Stderr, color.YellowString(msg))
 
-	rl, err := readline.NewEx(config)
-	if err != nil {
-		return "", err
-	}
+			// read password from TTY with masking
+			password, err := tty.ReadPassword()
+			if err != nil {
+				return "", err
+			}
 
-	for {
-		answer, err := rl.Readline()
+			// print newline after password input
+			fmt.Fprintln(os.Stderr)
+
+			answer := strings.TrimSpace(string(password))
+			if shouldAskAgain != nil && shouldAskAgain(answer) {
+				continue
+			}
+			return answer, nil
+		}
+	} else {
+		// use normal readline method when stdin is not piped
+		config := &readline.Config{
+			Stdout:                 os.Stderr,
+			Prompt:                 color.YellowString(msg),
+			InterruptPrompt:        "^C",
+			DisableAutoSaveHistory: true,
+			EnableMask:             true,
+			MaskRune:               '*',
+		}
+
+		rl, err := readline.NewEx(config)
 		if err != nil {
 			return "", err
 		}
-		answer = strings.TrimSpace(answer)
-		if shouldAskAgain != nil && shouldAskAgain(answer) {
-			continue
+
+		for {
+			answer, err := rl.Readline()
+			if err != nil {
+				return "", err
+			}
+			answer = strings.TrimSpace(answer)
+			if shouldAskAgain != nil && shouldAskAgain(answer) {
+				continue
+			}
+			return answer, err
 		}
-		return answer, err
 	}
 }