jsonrpc icon indicating copy to clipboard operation
jsonrpc copied to clipboard
verified publisher icon ybbus

strip password when logging URL

Open areller opened this issue 3 years ago • 3 comments

This makes sure that password doesn't appear in error logs when using basic authentication. (The code that I used in stripPassword is the same that the standard library http client uses)

areller avatar Apr 24 '22 16:04 areller

Hi areller,

maybe you can make use of https://pkg.go.dev/net/url#URL.Redacted

So a utils may not even be necessary?

Best, Alex

ybbus avatar Apr 24 '22 17:04 ybbus

@ybbus Hi, thanks for the suggestion. modified the PR do you think it could cause problems with v2 (https://github.com/ybbus/jsonrpc/pull/45)? since the Redacted function was introduced in go1.15 but the minimum version in v2's go.mod is 1.12

areller avatar Apr 24 '22 17:04 areller

@areller I would even go further with the simplification.

What about just replacing all httpRequest.URL.String() with httpRequest.URL.Redacted()

and all client.endpoint also with httpRequest.URL.Redacted() ?

Recalculating the value every time should not be a problem, since this is only done in the case of an error and calculation is quite small (url parsing has happened anyways at this point in time).

For v2: Maybe v2 should be upgraded to 1.15 then, but I don't know if this counts as breaking change...

For v3: To be precise this is also a breaking change. But since it is anyway bad practice to do expectations on the error string, I guess this should be okay without a major version increase.

ybbus avatar Apr 25 '22 12:04 ybbus

https://github.com/ybbus/jsonrpc/pull/53

ybbus avatar Feb 22 '23 22:02 ybbus