Bot token is printed in logs

apimorphism / telegramium

Telegramium or F[ Tg ] - pure functional Telegram Bot API implementation for Scala.

MIT License

79 stars 9 forks source link

Bot token is printed in logs #483

Open lolgab opened 4 months ago

lolgab commented 4 months ago

Since Telegram requires the bot token to be in the path, it gets logged in the logs, which can cause token leaks when application logs are stored. It would be nice if the tokens in the paths were replaced with ******** like:

Request method=POST uri=https://api.telegram.org/bot12341234:************/deleteWebhook headers=Content-Length: 26,Content-Type: application/json,Accept: application/json threw an exception on attempt #1. Giving up.

johnspade commented 4 months ago

Thanks for the report! I'm not sure if it's that easy to fix, since the http4s client creation is not under Telegramium's control. If I understand correctly, in your case the client is using Retry Middleware? You can set the logRetries = false parameter to disable these messages. There is an open issue in the http4s repository regarding this problem: https://github.com/http4s/http4s/issues/6597.