From 3e4f7db237a085c6c5e80b16d0cca08df27119fc Mon Sep 17 00:00:00 2001
From: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Date: Tue, 16 Aug 2022 16:48:24 -0400
Subject: [PATCH] dev docs: clarify internal and external token helpers
 (#13014)

* dev docs: clarify internal and external token helpers

* Add docs for DefaultTokenHelper
---
 command/config/util.go           | 1 +
 command/token/helper_external.go | 3 +++
 command/util.go                  | 1 +
 3 files changed, 5 insertions(+)

diff --git a/command/config/util.go b/command/config/util.go
index 3dd09fdec..1ac47df7e 100644
--- a/command/config/util.go
+++ b/command/config/util.go
@@ -5,6 +5,7 @@ import (
 )
 
 // DefaultTokenHelper returns the token helper that is configured for Vault.
+// This helper should only be used for non-server CLI commands.
 func DefaultTokenHelper() (token.TokenHelper, error) {
 	config, err := LoadConfig("")
 	if err != nil {
diff --git a/command/token/helper_external.go b/command/token/helper_external.go
index 917d44573..7fd25b061 100644
--- a/command/token/helper_external.go
+++ b/command/token/helper_external.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 )
 
+// ExternalTokenHelperPath should only be used in dev mode.
 // ExternalTokenHelperPath takes the configured path to a helper and expands it to
 // a full absolute path that can be executed. As of 0.5, the default token
 // helper is internal, to avoid problems running in dev mode (see GH-850 and
@@ -38,6 +39,8 @@ func ExternalTokenHelperPath(path string) (string, error) {
 
 var _ TokenHelper = (*ExternalTokenHelper)(nil)
 
+// ExternalTokenHelper should only be used in a dev mode. For all other cases,
+// InternalTokenHelper should be used.
 // ExternalTokenHelper is the struct that has all the logic for storing and retrieving
 // tokens from the token helper. The API for the helpers is simple: the
 // BinaryPath is executed within a shell with environment Env. The last argument
diff --git a/command/util.go b/command/util.go
index def0a1e05..4f9614e23 100644
--- a/command/util.go
+++ b/command/util.go
@@ -14,6 +14,7 @@ import (
 )
 
 // DefaultTokenHelper returns the token helper that is configured for Vault.
+// This helper should only be used for non-server CLI commands.
 func DefaultTokenHelper() (token.TokenHelper, error) {
 	return config.DefaultTokenHelper()
 }