[bug] Displays proxy endpoint credentials in log output

[matsuev]

Once the proxy endpoint is created, Centrifugo displays a connection string with the user credentials in the log output:

2024-09-09 01:59:21 [INF] RPC proxy enabled endpoint=https://user:password@localhost:8080/rpc

OR (if log in JSON format)

{"level":"info","endpoint":"https://user:password@localhost:8080/rpc","time":"2024-09-08T19:13:44Z","message":"RPC proxy enabled"}

This is a potential risk of leaking passwords for connecting to the application server.

Versions

Centrifugo version is <5.4.5>

Steps to Reproduce How can the bug be triggered? In centrifugo config file: { ... "proxy_rpc_endpoint": "https://user:password@localhost:8080/rpc", ... }

A quick solution might be like this In main.go add function

func redactedUrl(endpoint string) string {
    if parsedUrl, err := url.Parse(endpoint); err != nil {
        return ""
    } else {
        return parsedUrl.Redacted()
    }
}

and replace any log code

// log.Info().Str("endpoint", rpcEndpoint).Msg("RPC proxy enabled")
log.Info().Str("endpoint", redactedUrl(rpcEndpoint)).Msg("RPC proxy enabled")

Then the log looks like this: 2024-09-09 03:39:13 [INF] RPC proxy enabled endpoint=https://user:xxxxx@localhost:8080/rpc

Patch to FIX log output: https://github.com/matsuev/centrifugo/tree/fix-log-proxy-credentials

Refactored code to use proxy.Config Endpoint field as *url.URL: https://github.com/matsuev/centrifugo/tree/refactor-proxy-config

[FZambia]

Hello @matsuev

Thanks for the report, you are right - need to strip out sensitive info before logging.

While it's not fixed - maybe consider using some reverse proxy between Centrifugo and your backend which adds basic auth.