weareu opened a new issue #255: URL: https://github.com/apache/couchdb-nano/issues/255
Nano with Axios is not scrubbing output correctly for non-url basic auth (using requestDefaults) on request errors. Auth errors, timeouts and change feeds are still dumping the password from the request if using requestDefaults: Auth to authenticate. Headers are scrubbed for logging though but not errors. ## Expected Behavior All exceptions/errors should scrub the request header (requestDefaults.auth) or just auth object password correctly. ## Current Behavior For Auth request header (Basic Auth) the password is not scrubbed with new axios requests. ## Possible Solution Where url and cookie is currently scrubbed in responseHandlers, also scrub auth header just like is done in relax() ## Steps to Reproduce (for bugs) 1. Authenticate using requestDefaults -> Auth header username and password 2. Generate a exception (cut connection on a reader for example) 3. Password is not scrubbed for Request added to Error object returned. ## Context Our password is being dumped to logs and shipped on timeouts in our production environment. ## Your Environment * Version used: 9.0.3 (latest) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
