Should make use of SecretStr for any Token or Password fields

mongodb-labs / full-stack-fastapi-mongodb

Full stack, modern web application generator. Using FastAPI, MongoDB as database, Docker, automatic HTTPS and more.

MIT License

453 stars 80 forks source link

Should make use of SecretStr for any Token or Password fields #22

Closed sammaphey closed 6 months ago

sammaphey commented 7 months ago

To avoid logging tokens or passwords accidentally pydantic provides a nice SecretStr model as a way to reduce these issues.

Can change instances like:

class Token(BaseModel):
    access_token: str
    refresh_token: Optional[str] = None
    token_type: str

from pydantic import SecretStr

class Token(BaseModel):
    access_token: SecretStr
    refresh_token: Optional[SecretStr] = None
    token_type: str

Jibola commented 7 months ago

Thanks for providing this suggestion! We've gone ahead and created a JIRA ticket for this change to track this issue.

Feel free to provide a contribution as well, and we will happily review it. :)

FlorianEisenbarth commented 5 months ago

If SecretStr is used on the Token model how could we use the Oauth2 login workflow then ? The method login_with_oauth2 would output:

{'access_token': '***', 'refresh_token': '****', 'token_type': 'bearer'}`

so, how can we use the access token to access other API endpoints ? If I misunderstood something could you explain what I’m doing wrong.

thoth2357 commented 5 months ago

@FlorianEisenbarth you aren't wrong , with the use of secretstr, the Oauth2 login workflow wouldn't work as expected as the authorization headers would be in '***'. I think the only workaround would be to create a new base model that wont type it field with secretstr