Is your feature request related to a problem? Please describe.
The --verbose flag prints details for HTTP requests made by the cli, including the Authorization header. This header contains credentials use the authorize the request. A malicious user who has access to the logs could use that credential to impersonate the original account.
This behavior is particularly problematic when the pivnet-cli is used in a CI environment that captures and persists logs, which are often visible to multiple individuals who are not authorized to have the credential.
Describe the solution you'd like
Auth credentials should never be logged in a way that can be observed by a third-party and then refused maliciously. The content of the Authorization header should be redacted in the log output. In the case where the value is the JWT bearer token, the signature can be redacted so that the token is invalidated while the user can still inspect the header and payload content.
If and when logging the credential is desirable, the user should opt-in to that behavior with a setting that is clearly labeled as "unsafe" or "dangerous".
Describe alternatives you've considered
Many CI system attempt to redact known credentials from the log, however, the tokens used by Pivnet to authorize requests are generated and not known to the CI system as a secret.
A user could manually apply a grep filter to remove this value, but that is a high burden to place on every pivnet-cli invocation. It is also fragile as the format of the output may change again exposing the credential.
Is your feature request related to a problem? Please describe.
The
--verboseflag prints details for HTTP requests made by the cli, including theAuthorizationheader. This header contains credentials use the authorize the request. A malicious user who has access to the logs could use that credential to impersonate the original account.This behavior is particularly problematic when the pivnet-cli is used in a CI environment that captures and persists logs, which are often visible to multiple individuals who are not authorized to have the credential.
Describe the solution you'd like
Auth credentials should never be logged in a way that can be observed by a third-party and then refused maliciously. The content of the
Authorizationheader should be redacted in the log output. In the case where the value is the JWT bearer token, the signature can be redacted so that the token is invalidated while the user can still inspect the header and payload content.If and when logging the credential is desirable, the user should opt-in to that behavior with a setting that is clearly labeled as "unsafe" or "dangerous".
Describe alternatives you've considered
Many CI system attempt to redact known credentials from the log, however, the tokens used by Pivnet to authorize requests are generated and not known to the CI system as a secret.
A user could manually apply a grep filter to remove this value, but that is a high burden to place on every pivnet-cli invocation. It is also fragile as the format of the output may change again exposing the credential.
Additional context
No response