search

pact-foundation / pact-ruby

Enables consumer driven contract testing, providing a mock service and DSL for the consumer project, and interaction playback and verification for the service provider project.
https://pact.io
MIT License
2.17k stars 216 forks source link

fix(security): hide personal access token given in uri #225

Closed thomas-girotto closed 4 years ago

thomas-girotto commented 4 years ago

Uris like https://pat@my-pact-server/pact.json are correct, where pat stands for personal access token, and is a secret. => the pat should not be exposed in logs here

It would be more elegant to not implictly consider the 'username' as 'pat' when there is no password, and maybe create another explicit property in the class, but i was not sure to control the impacts of such a change... (First commit ever in ruby :) ). And after some digging arround, i'm not even sure it would worth it.

Please let me know if you think otherwise though.

bethesque commented 4 years ago

Hi, I'd like to understand the use case better. When are you using this format rather than providing the token in the regular way? Is there a change to the Ruby API that we should make so that you don't need to use that format?

thomas-girotto commented 4 years ago

Hello, this authentication system is dinctinct from Bearer authentication, because i don't ask dynamically a token that will be checked against some kind of SSO server... It's more like basic auth, but instead of using my account i use a "PAT" that i've created and that only i know. That's a way to not use my personal account as credentials, and i can for instance give fewer rights to my PAT than i would have with my personal account, revoke it and renew it more easily. You can have a look here or here, but the PAT approach is not limited to azure devops and is well supported by a lot of systems (github, gitlab...).

My specific use case here is that i want to read the pact.json file from an azure devops repo and authenticating with a PAT is the standard way to do it...

Is there a change to the Ruby API that we should make so that you don't need to use that format?

I don't think so, as this authentication system is just another one that has become another standard, and the best thing to do in my opinion is to support this format. And it's actually already supported by the lib, we just have to hide it in the logs :)

bethesque commented 4 years ago

Ok, looks good! Thanks for the submission.

bethesque commented 4 years ago

Gem should be out in a couple of minutes.