fix(middleware): don't log admin password on basic-auth failure

middleware/auth.go

@@ -235,7 +235,7 @@ func (a *Authenticator) basicAdminUser(r *http.Request) bool {
 
 	// using ConstantTimeCompare to avoid timing attack
 	if user != "admin" || subtle.ConstantTimeCompare([]byte(passwd), []byte(a.AdminPasswd)) != 1 {
-		a.Logf("[WARN] admin basic auth failed, user/passwd mismatch, %s:%s", user, passwd)
+		a.Logf("[WARN] admin basic auth failed for user %q", user)
 		return false
 	}
 

middleware/auth_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"testing"
@@ -335,6 +336,23 @@ func TestAuthWithBasic(t *testing.T) {
 	assert.Equal(t, 401, resp.StatusCode, "admin with basic not allowed")
 }
 
+func TestBasicAdminUserDoesNotLogPassword(t *testing.T) {
+	const secret = "super-secret-attempted-passwd"
+	var buf strings.Builder
+	a := makeTestAuth(t)
+	a.L = logger.Func(func(format string, args ...interface{}) {
+		fmt.Fprintf(&buf, format, args...)
+	})
+
+	r, err := http.NewRequest("GET", "/auth", http.NoBody)
+	require.NoError(t, err)
+	r.SetBasicAuth("admin", secret)
+
+	assert.False(t, a.basicAdminUser(r), "wrong password must not authenticate")
+	assert.NotContains(t, buf.String(), secret, "attempted password must not appear in logs")
+	assert.Contains(t, buf.String(), "admin basic auth failed", "rejection should still be logged")
+}
+
 func TestAuthWithBasicChecker(t *testing.T) {
 	a := makeTestAuth(t)
 	a.AdminPasswd = "" // disable admin

v2/middleware/auth.go

@@ -243,7 +243,7 @@ func (a *Authenticator) basicAdminUser(r *http.Request) bool {
 
 	// using ConstantTimeCompare to avoid timing attack
 	if user != "admin" || subtle.ConstantTimeCompare([]byte(passwd), []byte(a.AdminPasswd)) != 1 {
-		a.Logf("[WARN] admin basic auth failed, user/passwd mismatch, %s:%s", user, passwd)
+		a.Logf("[WARN] admin basic auth failed for user %q", user)
 		return false
 	}
 

v2/middleware/auth_test.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"testing"
@@ -334,6 +335,23 @@ func TestAuthWithBasic(t *testing.T) {
 	assert.Equal(t, 401, resp.StatusCode, "admin with basic not allowed")
 }
 
+func TestBasicAdminUserDoesNotLogPassword(t *testing.T) {
+	const secret = "super-secret-attempted-passwd"
+	var buf strings.Builder
+	a := makeTestAuth(t)
+	a.L = logger.Func(func(format string, args ...interface{}) {
+		fmt.Fprintf(&buf, format, args...)
+	})
+
+	r, err := http.NewRequest("GET", "/auth", http.NoBody)
+	require.NoError(t, err)
+	r.SetBasicAuth("admin", secret)
+
+	assert.False(t, a.basicAdminUser(r), "wrong password must not authenticate")
+	assert.NotContains(t, buf.String(), secret, "attempted password must not appear in logs")
+	assert.Contains(t, buf.String(), "admin basic auth failed", "rejection should still be logged")
+}
+
 func TestAuthWithBasicChecker(t *testing.T) {
 	a := makeTestAuth(t)
 	a.AdminPasswd = "" // disable admin