hash-password
Produces a bcrypt hash for use with the mobile-app command's locked-password mode. Operators set the resulting hash in the TOURNAMENT_PASSWORD_HASH environment variable so the running server can compare incoming X-Tournament-Password headers against it without storing the plaintext.
Input
The command reads the plaintext from one of two sources, in this order:
- Positional argument:
bracket-creator hash-password mysecret. Convenient for ad-hoc use, but the password is recorded in shell history. Suitable for development. - Standard input (when no argument is supplied): read one line of stdin. The terminal echoes what the operator types (the command does not disable echo or print a prompt). For production rotation, pipe from a secrets manager or here-doc rather than typing the password interactively. Recommended path because it avoids shell-history leakage.
Bcrypt has a hard 72-byte limit on the input. Passwords longer than that are rejected up-front rather than silently truncated.
Output
Single line on stdout: the bcrypt hash (for example, $2a$10$tq9jkGYsf1ttx0ZM.UUrxezVBcO4aZaS.dVRY73xC5lwEvTJLcMc6). Cost is bcrypt.DefaultCost (10), fine for admin-facing endpoints (~50-100 ms per verify) and not worth tuning until a real load problem appears.
Examples
# Quick generation via argument (leaves password in shell history)
bracket-creator hash-password mysecret
# Stdin path: pipe from another command
echo -n "$MY_SECRET" | bracket-creator hash-password
# Capture into a shell variable for the mobile-app server
HASH=$(printf '%s' "$MY_SECRET" | bracket-creator hash-password)
TOURNAMENT_PASSWORD_HASH="$HASH" \
bracket-creator mobile-app --lock-password -f ./tournament-data
See the mobile-app command reference for how the hash is consumed at startup.