Closed GoogleCodeExporter closed 9 years ago
Actually, I'm wondering if you really want to sanitize auth data or not here.
OAuth refresh tokens are revocable, and the only thing actually sent for OAuth
2 is the access token, which expires after an hour typically.
OAuth 1 sends substantially more in the headers:
Authorization: OAuth realm="Example",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
However, notably missing here is the OAuth secret.
But considering that auth is far-and-away the most commonly problematic area
for applications built on top of an API client, it seems to me that we may want
to allow auth information to be included in the logs. Maybe strip the
Authorization header by default, but provide a flag to disable auth stripping
with an appropriate warning not to turn it on for production deployments?
Original comment by bobaman@google.com
on 20 Sep 2011 at 6:25
My concern is mostly with carelessly posting the full logs to public locations
(such as this bug tracker), so your solution of stripping auth by default but
having an optional flag would be fantastic; it would avoid unintentional
sharing of auth data in public channels, while still allowing for debugging
auth problems if going through more private ones.
Sounds good!
Thanks for looking into this, it will be invaluable for debugging.
Original comment by sergio.gomes%google.com@gtempaccount.com
on 21 Sep 2011 at 11:43
This will get solved accidentally by the conversion to Faraday for the HTTP
stack. :-)
Original comment by bobaman@google.com
on 10 Jan 2012 at 7:09
Original comment by bobaman@google.com
on 10 Jan 2012 at 7:11
So, we're now using Faraday, but I think we need some example code in the
documentation that shows how to do logging using a Faraday connection builder.
Original comment by bobaman@google.com
on 12 Apr 2012 at 8:34
I can take care of that.
Original comment by sergio.gomes%google.com@gtempaccount.com
on 17 Apr 2012 at 2:44
Awesome! Thank you!
Original comment by bobaman@google.com
on 19 Apr 2012 at 10:08
Added to FAQ: http://code.google.com/p/google-api-ruby-client/wiki/FAQ
Thanks!
Original comment by sergio.gomes%google.com@gtempaccount.com
on 26 Apr 2012 at 3:32
Original comment by bobaman@google.com
on 27 Apr 2012 at 7:50
Original issue reported on code.google.com by
sergio.gomes%google.com@gtempaccount.com
on 20 Sep 2011 at 3:34