From 3e76c8c12b4bd7d1ab0a71141c031bf74ff8a51e Mon Sep 17 00:00:00 2001
From: "Alex Ellis (OpenFaaS Ltd)" <alexellis2@gmail.com>
Date: Wed, 22 Nov 2023 18:07:43 +0000
Subject: [PATCH] Redact the Authorization header for safer sharing

This redacts the Authorization header, but shows whether a
Basic or Bearer token was used, just not the value.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
---
 proxy/client.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/proxy/client.go b/proxy/client.go
index d480f3ac..0a63564b 100644
--- a/proxy/client.go
+++ b/proxy/client.go
@@ -103,7 +103,21 @@ func (c *Client) newRequest(method, path string, query url.Values, body io.Reade
 	if os.Getenv("FAAS_DEBUG") == "1" {
 		fmt.Printf("%s %s\n", req.Method, req.URL.String())
 		for k, v := range req.Header {
-			fmt.Printf("%s: %s\n", k, v)
+			if k == "Authorization" {
+				auth := "[REDACTED]"
+				if len(v) == 0 {
+					auth = "[NOT_SET]"
+				} else {
+					l, _, ok := strings.Cut(v[0], " ")
+					if ok && (l == "Basic" || l == "Bearer") {
+						auth = l + " REDACTED"
+					}
+				}
+				fmt.Printf("%s: %s\n", k, auth)
+
+			} else {
+				fmt.Printf("%s: %s\n", k, v)
+			}
 		}
 
 		if len(bodyDebug) > 0 {