Skip to content

Remove API token from logs #727

Closed
#1367
Closed
Remove API token from logs#727
#1367
Assignees
josecelano
Labels
SecurityPublicly Connected to Security
Milestone
v3.1.0
@josecelano

Description

@josecelano
josecelano
opened on Mar 11, 2024

We are using a token query param for API authentication and we are logging the whole request URL.

2024-03-11T16:53:33.249051604+00:00 [API][INFO] request; method=GET uri=/api/v1/torrents?token=MyAccessToken&info_hash=2b66980093bc11806fab50cb3cb41835b95a0362 request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41
2024-03-11T16:53:33.249113794+00:00 [API][INFO] response; latency=0 status=200 OK request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41

That means tokens are included in the logs.

We should hide those tokens with **** or change the way we pass the token. We could use an HTTP header like in the Index. I prefer the second option because other proxies could also log the URLs.

Metadata

Metadata

Assignees

Labels

SecurityPublicly Connected to Security

Type

No type

Projects

Torrust Solution

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions