Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove API token from logs #727

Closed
josecelano opened this issue Mar 11, 2024 · 2 comments · Fixed by #1367
Closed

Remove API token from logs #727

josecelano opened this issue Mar 11, 2024 · 2 comments · Fixed by #1367
Assignees
@josecelano
Labels
Security Publicly Connected to Security
Milestone
v3.1.0

Comments

@josecelano
Copy link
Member

We are using a token query param for API authentication and we are logging the whole request URL.

2024-03-11T16:53:33.249051604+00:00 [API][INFO] request; method=GET uri=/api/v1/torrents?token=MyAccessToken&info_hash=2b66980093bc11806fab50cb3cb41835b95a0362 request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41
2024-03-11T16:53:33.249113794+00:00 [API][INFO] response; latency=0 status=200 OK request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41

That means tokens are included in the logs.

We should hide those tokens with **** or change the way we pass the token. We could use an HTTP header like in the Index. I prefer the second option because other proxies could also log the URLs.
@josecelano josecelano added the Security Publicly Connected to Security label Mar 11, 2024
@josecelano josecelano added this to the v3.1.0 milestone Mar 11, 2024
@josecelano josecelano mentioned this issue Apr 11, 2024
Closed
@josecelano
Copy link
Member Author

Instead of removing the token from the logs we could add a new authentication method. We could use a bearer token authentication scheme. We are using it in the Index, so we only need to adapt that code:

https://github.com/torrust/torrust-index/blob/develop/src/web/api/server/v1/auth.rs

Maybe we can keep the GET param token for testing because it makes it easier to load API resources. However, I would remove it, we can use https://www.postman.com/ or curl.

@josecelano josecelano self-assigned this Jun 12, 2024
@josecelano josecelano modified the milestones: v3.1.0, v3.0.0 Jun 12, 2024
@josecelano josecelano modified the milestones: v3.0.0, v3.1.0 Aug 8, 2024
@josecelano
Copy link
Member Author

Hi @da2ce7 I think I will make an small improvement for now. I will allow to include the token not only via a URL param but also as a Authorization Header. I think that would require two small changes:

  • In the server we prioritize the token in the header.
  • In the client we always use the header to send the token.

Since we are planning big changes in APIs:

We can postpone to decide which method to use. Maybe It would be useful to have some kind of users also in the tracker and a more advance token generation:

  • With granularity in permission
  • With expiration date
  • Etc.

josecelano added a commit to josecelano/torrust-tracker that referenced this issue Mar 10, 2025
@josecelano
feat: [torrust#727] allow to authenticate API via authentication header
f3005cc 
The API allos client authentication via a `token` parameter in the URL
query:

```console
curl http://0.0.0.0:1212/api/v1/stats?token=MyAccessToken | jq
```

Now it's also possible to do it via Authentication Header:

```console
curl -H "Authorization: Bearer MyAccessToken" http://0.0.0.0:1212/api/v1/stats | jq
```

This is to avoid leaking the token in logs, proxies, etc.

For now, it's only optional and recommendable. It could be mandatory in
future major API versions.
@josecelano josecelano linked a pull request Mar 10, 2025 that will close this issue
New API feature: allow API clients to authenticate via authentication header #1367
Merged
josecelano added a commit to josecelano/torrust-tracker that referenced this issue Mar 10, 2025
@josecelano
feat: [torrust#727] allow to authenticate API via authentication header
ccf9880 
The API allos client authentication via a `token` parameter in the URL
query:

```console
curl http://0.0.0.0:1212/api/v1/stats?token=MyAccessToken | jq
```

Now it's also possible to do it via Authentication Header:

```console
curl -H "Authorization: Bearer MyAccessToken" http://0.0.0.0:1212/api/v1/stats | jq
```

This is to avoid leaking the token in logs, proxies, etc.

For now, it's only optional and recommendable. It could be mandatory in
future major API versions.
josecelano added a commit to josecelano/torrust-tracker that referenced this issue Mar 10, 2025
@josecelano
feat: [torrust#727] allow to authenticate API via authentication header
3f915a2 
The API allos client authentication via a `token` parameter in the URL
query:

```console
curl http://0.0.0.0:1212/api/v1/stats?token=MyAccessToken | jq
```

Now it's also possible to do it via Authentication Header:

```console
curl -H "Authorization: Bearer MyAccessToken" http://0.0.0.0:1212/api/v1/stats | jq
```

This is to avoid leaking the token in logs, proxies, etc.

For now, it's only optional and recommendable. It could be mandatory in
future major API versions.
josecelano added a commit to josecelano/torrust-tracker that referenced this issue Mar 10, 2025
@josecelano
feat: [torrust#727] allow to authenticate API via authentication header
084beb2 
The API allos client authentication via a `token` parameter in the URL
query:

```console
curl http://0.0.0.0:1212/api/v1/stats?token=MyAccessToken | jq
```

Now it's also possible to do it via Authentication Header:

```console
curl -H "Authorization: Bearer MyAccessToken" http://0.0.0.0:1212/api/v1/stats | jq
```

This is to avoid leaking the token in logs, proxies, etc.

For now, it's only optional and recommendable. It could be mandatory in
future major API versions.
josecelano added a commit to josecelano/torrust-tracker that referenced this issue Mar 10, 2025
@josecelano
refactor: [torrust#727] use the Authentication header in the API client
34f2f43 
Instead of passing the `token` via GET param.

The server supports both. Since we have not released any version crate for the
client yet we can use the header by deafault which is more secure.
josecelano added a commit that referenced this issue Mar 10, 2025
@josecelano
Merge #1367: New API feature: allow API clients to authenticate via a…
c04df74 
…uthentication header

34f2f43 refactor: [#727] use the Authentication header in the API client (Jose Celano)
084beb2 feat: [#727] allow to authenticate API via authentication header (Jose Celano)

Pull request description:

  The API allows client authentication via a `token` parameter in the URL query:

  ```console
  curl http://0.0.0.0:1212/api/v1/stats?token=MyAccessToken | jq
  ```

  Now it's also possible to do it via an `Authentication Header`:

  ```console
  curl -H "Authorization: Bearer MyAccessToken" http://0.0.0.0:1212/api/v1/stats | jq
  ```

  This is to avoid leaking the token in logs, etc.

  For now, it's only optional and recommendable. It could be mandatory in future major API versions.

  The API client uses by default the `Authentication Header`. It could be a breaking change if you use the newer client witn an old API that does not support it. However we have not released any crate for the API client yet. And [we are still using a different client in the Index](torrust/torrust-index#806).

ACKs for top commit:
  josecelano:
    ACK 34f2f43

Tree-SHA512: 94e83465f0f105200ea4257aa9a8e1f15b810410fd421e30f286cbea4bd47f3917a83088337ca6608f572f828f82f5a90aa18298763821c1c5e0da7e02c7ea6a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josecelano josecelano

Labels
Security Publicly Connected to Security
Projects
Torrust Solution
Status: Done
Milestone
v3.1.0
1 participant
@josecelano