[FOLIO-1520] sensitive information is logged/echoed Created: 20/Sep/18  Updated: 18/Jan/19

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Zak Burke Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Core: Platform

 Description   

Description

When a request contains sensitive information, e.g. because it is a login or change password, if the request fails that information must not be logged and or returned as part of the error response.

Details

Currently, POST requests to http://folio-snapshot-367.aws.indexdata.com:9130/bl-users/login?expandPermissions=true&fullPermissions=true are failing with a 500 response with the body

{
  "endpoint" : "/authn/login",
  "statusCode" : 500,
  "errorMessage" : "{\"username\":\"diku_admin\",\"password\":\"admin\"}"
}

The error message should not contain sensitive information such as the password.



 Comments   
Comment by Zak Burke [ 20/Sep/18 ]

I filed this under Folio rather than mod-users-bl because it identifies the general issue – sensitive information should not be logged – rather than a specific one. But, if you did want to file a sub issue to deal with this specific case, _/proxy/tenants/diku/modules?full=true reports this instance is running mod-users-bl-4.0.2-SNAPSHOT.25 and mod-authtoken-1.5.2-SNAPSHOT.26.

Generated at Thu Feb 08 23:13:57 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.