Skip to content

fix(middleware): don't log admin password on basic-auth failure#279

Merged
umputun merged 1 commit into
masterfrom
fix/admin-passwd-log-leak
May 8, 2026
Merged

fix(middleware): don't log admin password on basic-auth failure#279
umputun merged 1 commit into
masterfrom
fix/admin-passwd-log-leak

Conversation

@paskal
Copy link
Copy Markdown
Collaborator

@paskal paskal commented May 8, 2026

Summary

Admin basic-auth rejection log line currently includes the attempted password verbatim:

[WARN] admin basic auth failed, user/passwd mismatch, admin:hunter2

A mistyped legitimate password (often one character off the real one) or a misrouted password-manager submission lands in plaintext logs that may be shipped to centralised logging, crash bundles, or third-party observability systems.

Change

Drop the password from the log line, keep the username:

[WARN] admin basic auth failed for user "admin"

Same fix in v1 (middleware/auth.go:238) and v2 (v2/middleware/auth.go:246), single PR.

Test

New TestBasicAdminUserDoesNotLogPassword in both modules — captures the logger output, calls basicAdminUser with a wrong password, asserts the password substring is not in the captured output and the rejection is still logged.

Confirmed RED→GREEN locally:

  • before: assertion fails, log contains admin:super-secret-attempted-passwd
  • after: assertion passes

@paskal
fix(middleware): don't log admin password on basic-auth failure
e394e7e 
The admin basic-auth rejection log line included the attempted password
verbatim, e.g. "[WARN] admin basic auth failed, user/passwd mismatch,
admin:hunter2". A mistyped legitimate password (often differs from the
real one by one character) or a misrouted password manager submission
ends up in plaintext logs that may be shipped to centralised logging,
crash bundles or third-party observability systems.

Drop the password from the log line; keep only the username so an
operator can still tell who failed.

Affects v1 (middleware/auth.go:238) and v2 (v2/middleware/auth.go:246).

Reported during a security audit alongside the v1 from-redirect issue
and the Apple iss/aud gap (those tracked separately).
@paskal paskal requested a review from umputun as a code owner May 8, 2026 17:29
@coveralls
Copy link
Copy Markdown

coveralls commented May 8, 2026
edited
Loading

Coverage Report for CI Build 25569788009

Coverage increased (+0.4%) to 84.66%

Details

  • Coverage increased (+0.4%) from the base build.
  • Patch coverage: 1 of 1 lines across 1 file are fully covered (100%).
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 3305
Covered Lines: 2798
Line Coverage: 84.66%
Coverage Strength: 7.77 hits per line
💛 - Coveralls

@paskal paskal mentioned this pull request May 8, 2026
Merged
umputun
umputun approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@umputun umputun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thx

@umputun umputun merged commit 30e0070 into master May 8, 2026
9 checks passed
@umputun umputun deleted the fix/admin-passwd-log-leak branch May 8, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@umputun umputun umputun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@paskal @coveralls @umputun