// Package terminal provides secure terminal input helpers for CLI tools.
package terminal

import (
	"fmt"
	"os"

	"golang.org/x/term"
)

// ReadPassword prints the given prompt to stderr and reads a password
// from the terminal with echo disabled. It prints a newline after the
// input is complete so the cursor advances normally.
func ReadPassword(prompt string) (string, error) {
	b, err := readRaw(prompt)
	if err != nil {
		return "", err
	}
	return string(b), nil
}

// ReadPasswordBytes is like ReadPassword but returns a []byte so the
// caller can zeroize the buffer after use.
func ReadPasswordBytes(prompt string) ([]byte, error) {
	return readRaw(prompt)
}

func readRaw(prompt string) ([]byte, error) {
	fmt.Fprint(os.Stderr, prompt)
	b, err := term.ReadPassword(int(os.Stdin.Fd())) //nolint:gosec // fd fits in int
	fmt.Fprintln(os.Stderr)
	if err != nil {
		return nil, err
	}
	return b, nil
}