From c532073dd122d8e39193c868f31e40e708476b21 Mon Sep 17 00:00:00 2001 From: David Christofas Date: Wed, 3 Mar 2021 15:30:11 +0100 Subject: [PATCH] remove JWT from logs secrets should not be exposed in the logs --- changelog/unreleased/remove-log-secret.md | 5 +++++ ocis-pkg/middleware/openidconnect.go | 2 +- proxy/pkg/middleware/oidc_auth.go | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 changelog/unreleased/remove-log-secret.md diff --git a/changelog/unreleased/remove-log-secret.md b/changelog/unreleased/remove-log-secret.md new file mode 100644 index 000000000..cfdf79254 --- /dev/null +++ b/changelog/unreleased/remove-log-secret.md @@ -0,0 +1,5 @@ +Enhancement: Remove the JWT from the log + +We were logging the JWT in some places. Secrets should not be exposed in logs so it got removed. + +https://github.com/owncloud/ocis/pull/1758 diff --git a/ocis-pkg/middleware/openidconnect.go b/ocis-pkg/middleware/openidconnect.go index c983c2fed..d33fbd9d6 100644 --- a/ocis-pkg/middleware/openidconnect.go +++ b/ocis-pkg/middleware/openidconnect.go @@ -85,7 +85,7 @@ func OpenIDConnect(opts ...ocisoidc.Option) func(http.Handler) http.Handler { } userInfo, err := oidcProvider.UserInfo(customCtx, oauth2.StaticTokenSource(oauth2Token)) if err != nil { - opt.Logger.Error().Err(err).Str("token", string(token)).Msg("Failed to get userinfo") + opt.Logger.Error().Err(err).Msg("Failed to get userinfo") http.Error(w, ErrInvalidToken.Error(), http.StatusUnauthorized) return } diff --git a/proxy/pkg/middleware/oidc_auth.go b/proxy/pkg/middleware/oidc_auth.go index e4177060c..f05aaef20 100644 --- a/proxy/pkg/middleware/oidc_auth.go +++ b/proxy/pkg/middleware/oidc_auth.go @@ -91,7 +91,7 @@ func (m oidcAuth) getClaims(token string, req *http.Request) (claims oidc.Standa oauth2.StaticTokenSource(oauth2Token), ) if err != nil { - m.logger.Error().Err(err).Str("token", token).Msg("Failed to get userinfo") + m.logger.Error().Err(err).Msg("Failed to get userinfo") status = http.StatusUnauthorized return }