From 36550f4addc1b6522bd8c2dea96f0d06dfa41244 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Mon, 5 Jan 2026 15:36:01 +0200
Subject: [PATCH 1/7] security: redact password from debug prints

---
 CHANGELOG          |  4 ++++
 Cargo.toml         |  2 +-
 src/credentials.rs | 16 +++++++++++++---
 src/lib.rs         | 12 ++++++++++++
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 9d807e2..93ec96a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.3.6] - 2026-01-05
+### Security
+- Redact password from debug prints
+
 ## [0.3.1] - 2021-08-15
 ### Fixed
 - CI workflows issues due to missing conditional publishing triggerer and out of
diff --git a/Cargo.toml b/Cargo.toml
index 90ded61..56eae82 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "http-auth-basic"
-version = "0.3.5"
+version = "0.3.6"
 authors = ["Esteban Borai <estebanborai@gmail.com>"]
 
 edition = "2021"
diff --git a/src/credentials.rs b/src/credentials.rs
index 7b4a92e..1bc68f2 100644
--- a/src/credentials.rs
+++ b/src/credentials.rs
@@ -1,12 +1,12 @@
-use std::str::FromStr;
+use std::{fmt, str::FromStr};
 
-use base64::{prelude::BASE64_STANDARD, Engine};
+use base64::{Engine, prelude::BASE64_STANDARD};
 
 use crate::error::AuthBasicError;
 
 /// A `struct` to represent the `user_id` and `password` fields
 /// from an _Authorization Basic_ header value
-#[derive(Debug, PartialEq)]
+#[derive(PartialEq)]
 pub struct Credentials {
     pub user_id: String,
     pub password: String,
@@ -102,3 +102,13 @@ impl FromStr for Credentials {
         Self::decode(s.into())
     }
 }
+
+/// Debug implementation never prints out the password.
+impl fmt::Debug for Credentials {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Credentials")
+            .field("user_id", &self.user_id)
+            .field("password", &"REDACTED")
+            .finish()
+    }
+}
diff --git a/src/lib.rs b/src/lib.rs
index bf56ab2..ad850d6 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -153,4 +153,16 @@ mod tests {
 
         assert!(credentials.is_err());
     }
+
+    #[test]
+    fn debug_redacts_password() {
+        let password = "secret teapot";
+        let credentials = Credentials::new("username", password);
+
+        let debugged = format!("{credentials:?}");
+        let pretty = format!("{credentials:#?}");
+
+        assert!(!debugged.contains(password));
+        assert!(!pretty.contains(password));
+    }
 }

From 5c45cc1a157482d12d45ee9f2a43a2a100dac3a9 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Mon, 5 Jan 2026 15:36:58 +0200
Subject: [PATCH 2/7] chore: stop tracking Cargo.lock

---
 .gitignore |  4 +++-
 Cargo.lock | 16 ----------------
 2 files changed, 3 insertions(+), 17 deletions(-)
 delete mode 100644 Cargo.lock

diff --git a/.gitignore b/.gitignore
index a363066..f68ea69 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,8 @@
 #######################
 .vscode/
 /target
+# Not needed in a library.
+Cargo.lock
 
 # Compiled source #
 ###################
@@ -39,4 +41,4 @@ bundle
 .Spotlight-V100
 .Trashes
 ehthumbs.db
-Thumbs.db
\ No newline at end of file
+Thumbs.db
diff --git a/Cargo.lock b/Cargo.lock
deleted file mode 100644
index 4033513..0000000
--- a/Cargo.lock
+++ /dev/null
@@ -1,16 +0,0 @@
-# This file is automatically @generated by Cargo.
-# It is not intended for manual editing.
-version = 3
-
-[[package]]
-name = "base64"
-version = "0.22.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
-
-[[package]]
-name = "http-auth-basic"
-version = "0.3.5"
-dependencies = [
- "base64",
-]

From 3f447c532f12e4e214c270290131c133d235dc36 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Mon, 5 Jan 2026 15:37:35 +0200
Subject: [PATCH 3/7] chore: update rust edition to 2024

---
 Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index 56eae82..973b5a1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@ name = "http-auth-basic"
 version = "0.3.6"
 authors = ["Esteban Borai <estebanborai@gmail.com>"]
 
-edition = "2021"
+edition = "2024"
 license = "MIT OR Apache-2.0"
 description = "HTTP Basic Authentication Scheme (RFC 7617 and RFC 2617 compilant, base64-encoded credentials) for Rust applications"
 readme = "README.md"

From 838b4657e3a9efb923e9e4b7abf1ef815bd400b6 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Mon, 5 Jan 2026 15:38:15 +0200
Subject: [PATCH 4/7] documentation: spellchecker caught a couple typos

---
 CONTRIBUTING.md | 2 +-
 Cargo.toml      | 2 +-
 README.md       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index dd913c7..65dd9c6 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -15,7 +15,7 @@ about behavior to being permanently banned from the http-auth-basic repository.
 
 Not all interactions that require remediation are clear violations
 of the Code of Conduct. Project maintainers will take appropriate
-action, when neccessary, to ensure the http-auth-basic community is a space
+action, when necessary, to ensure the http-auth-basic community is a space
 where individuals can comfortably collaborate and bring their
 entire selves. Unfortunately, if bringing your entire self is
 infringing on others from doing the same, you may be asked to leave.
diff --git a/Cargo.toml b/Cargo.toml
index 973b5a1..22041c9 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -5,7 +5,7 @@ authors = ["Esteban Borai <estebanborai@gmail.com>"]
 
 edition = "2024"
 license = "MIT OR Apache-2.0"
-description = "HTTP Basic Authentication Scheme (RFC 7617 and RFC 2617 compilant, base64-encoded credentials) for Rust applications"
+description = "HTTP Basic Authentication Scheme (RFC 7617 and RFC 2617 compliant, base64-encoded credentials) for Rust applications"
 readme = "README.md"
 repository = "https://github.com/EstebanBorai/http-auth-basic"
 categories = ["authentication", "encoding", "web-programming", "web-programming::http-server", "web-programming::http-client"]
diff --git a/README.md b/README.md
index b435b48..72bdb80 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
   </div>
   <h1 align="center">http-auth-basic</h1>
   <h4 align="center">
-    HTTP Basic Authentication Scheme (RFC 7617 and RFC 2617 compilant, base64-encoded credentials) for Rust applications
+    HTTP Basic Authentication Scheme (RFC 7617 and RFC 2617 compliant, base64-encoded credentials) for Rust applications
   </h4>
 </div>
 

From 187685a7571af8e0d098753665668bd81c40b2b3 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Mon, 5 Jan 2026 15:40:10 +0200
Subject: [PATCH 5/7] ops: add cargo-semver-checks

---
 .github/workflows/release.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fadeee0..1979601 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,6 +31,11 @@ jobs:
     steps:
       - uses: actions/checkout@v1
 
+      # Make sure that there are no SemVer violations before publishing.
+      # https://github.com/obi1kenobi/cargo-semver-checks-action
+      - name: Check semver
+        uses: obi1kenobi/cargo-semver-checks-action@v2
+
       - uses: actions-rs/toolchain@v1
         with:
           profile: minimal

From 1839829db6908f7d0ac6631a713c076a784340f9 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Fri, 23 Jan 2026 12:18:59 +0200
Subject: [PATCH 6/7] test: more precise debug print assertions

---
 src/lib.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lib.rs b/src/lib.rs
index ad850d6..38b0b32 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -162,7 +162,13 @@ mod tests {
         let debugged = format!("{credentials:?}");
         let pretty = format!("{credentials:#?}");
 
+        // The password should not appear in the prints.
         assert!(!debugged.contains(password));
         assert!(!pretty.contains(password));
+
+        // It should be replaced with this:
+        const REDACTED: &str = "REDACTED";
+        assert!(debugged.contains(REDACTED));
+        assert!(pretty.contains(REDACTED));
     }
 }

From b350c1cd6d94cc45a17b23edd5eec5a61ffd1326 Mon Sep 17 00:00:00 2001
From: Iizuki <github@iizuki.mailer.me>
Date: Fri, 23 Jan 2026 12:24:37 +0200
Subject: [PATCH 7/7] Revert "ops: add cargo-semver-checks"

This reverts commit 187685a7571af8e0d098753665668bd81c40b2b3.

It will be included in a separate pull request.
---
 .github/workflows/release.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1979601..fadeee0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,11 +31,6 @@ jobs:
     steps:
       - uses: actions/checkout@v1
 
-      # Make sure that there are no SemVer violations before publishing.
-      # https://github.com/obi1kenobi/cargo-semver-checks-action
-      - name: Check semver
-        uses: obi1kenobi/cargo-semver-checks-action@v2
-
       - uses: actions-rs/toolchain@v1
         with:
           profile: minimal