Closed JohnMcLear closed 4 months ago
This is only logged in debug mode. Also: the password is stored in clear text in Home Assistant, as there is no way to encrypt this (as far as I know)
I'm 80% sure HA has a method for ensuring passwords are omitted from plugin debug logs but maybe that's core only as I can't see it after 1 minute searching online.
Can we at least leave this open as lots of the time plugin devs will say "send me your log file" and by default HA will spit out every plugin within scopes logs and this will include user/pass for third party services IE Fusionsolar.
Is it worth not trying to catch the error output from the auth attempt/request? That way user/pass wont be logged..
A quick Google for references:
If I check the links, there is no solution to redact content from the logs. Feel free to create a PR that removes https://github.com/tijsverkoyen/HomeAssistant-FusionSolar/blob/master/custom_components/fusion_solar/config_flow.py#L79
I never ask people to share their credentials on Github itself, and I also remove credentials if I see them being posted here.
I have removed the debug logging. See https://github.com/tijsverkoyen/HomeAssistant-FusionSolar/commit/cdc720db3cc008591f2fe303380b6f41b4b86f45. Will be included in the next release
For security reasons you don't want to output user/passwords to log files.