Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove API token from logs #727

Open
josecelano opened this issue Mar 11, 2024 · 1 comment
Open

Remove API token from logs #727

josecelano opened this issue Mar 11, 2024 · 1 comment
Assignees
@josecelano
Labels
Security Publicly Connected to Security
Milestone
v3.1.0

Comments

@josecelano
Copy link
Member

We are using a token query param for API authentication and we are logging the whole request URL.

2024-03-11T16:53:33.249051604+00:00 [API][INFO] request; method=GET uri=/api/v1/torrents?token=MyAccessToken&info_hash=2b66980093bc11806fab50cb3cb41835b95a0362 request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41
2024-03-11T16:53:33.249113794+00:00 [API][INFO] response; latency=0 status=200 OK request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41

That means tokens are included in the logs.

We should hide those tokens with **** or change the way we pass the token. We could use an HTTP header like in the Index. I prefer the second option because other proxies could also log the URLs.
@josecelano josecelano added the Security Publicly Connected to Security label Mar 11, 2024
@josecelano josecelano added this to the v3.1.0 milestone Mar 11, 2024
@josecelano josecelano mentioned this issue Apr 11, 2024
Closed
@josecelano
Copy link
Member Author

Instead of removing the token from the logs we could add a new authentication method. We could use a bearer token authentication scheme. We are using it in the Index, so we only need to adapt that code:

https://github.com/torrust/torrust-index/blob/develop/src/web/api/server/v1/auth.rs

Maybe we can keep the GET param token for testing because it makes it easier to load API resources. However, I would remove it, we can use https://www.postman.com/ or curl.

@josecelano josecelano self-assigned this Jun 12, 2024
@josecelano josecelano modified the milestones: v3.1.0, v3.0.0 Jun 12, 2024
@josecelano josecelano modified the milestones: v3.0.0, v3.1.0 Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josecelano josecelano

Labels
Security Publicly Connected to Security
Projects
Torrust Solution
Status: No status
Milestone
v3.1.0
Development

No branches or pull requests
1 participant
@josecelano