From 45236a1f7ddfa70c3983b1ecbb931fd1a615a4a3 Mon Sep 17 00:00:00 2001
From: James Royal <jroyal@cloudflare.com>
Date: Wed, 15 Nov 2023 15:07:39 -0600
Subject: [PATCH] VULN-44842 Add a flag that allows users to not send the
 Access JWT to stdout

---
 cmd/cloudflared/access/cmd.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/cloudflared/access/cmd.go b/cmd/cloudflared/access/cmd.go
index 18cec344..24d48d02 100644
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@@ -26,6 +26,7 @@ import (
 )
 
 const (
+	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
@@ -90,6 +91,13 @@ func Commands() []*cli.Command {
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
 					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
 					administrator. cloudflared stores the token in local storage.`,
+					Flags: []cli.Flag{
+						&cli.BoolFlag{
+							Name:    loginQuietFlag,
+							Aliases: []string{"q"},
+							Usage:   "do not print the jwt to the command line",
+						},
+					},
 				},
 				{
 					Name:   "curl",
@@ -246,6 +254,10 @@ func login(c *cli.Context) error {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
+
+	if c.Bool(loginQuietFlag) {
+		return nil
+	}
 	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 
 	return nil