Open josecelano opened 7 months ago
Instead of removing the token from the logs we could add a new authentication method. We could use a bearer token authentication scheme. We are using it in the Index, so we only need to adapt that code:
https://github.com/torrust/torrust-index/blob/develop/src/web/api/server/v1/auth.rs
Maybe we can keep the GET param token for testing because it makes it easier to load API resources. However, I would remove it, we can use https://www.postman.com/ or curl.
We are using a
token
query param for API authentication and we are logging the whole request URL.That means tokens are included in the logs.
We should hide those tokens with **** or change the way we pass the token. We could use an HTTP header like in the Index. I prefer the second option because other proxies could also log the URLs.