From 953a5df43f1fd861574837f1005b67958f4a43fb Mon Sep 17 00:00:00 2001 From: Nikolay Date: Wed, 17 May 2023 09:09:47 +0200 Subject: [PATCH] app/vmauth: do not return invalid credentials (#4288) at http response by default https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4188 based on https://github.com/VictoriaMetrics/VictoriaMetrics/pull/4190 Thanks @raj-kumar-j for init implementation --- app/vmauth/main.go | 4 ++-- docs/CHANGELOG.md | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/vmauth/main.go b/app/vmauth/main.go index bc8cb17e5..5cf685519 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -105,15 +105,15 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool { ui := ac[authToken] if ui == nil { invalidAuthTokenRequests.Inc() - err := fmt.Errorf("cannot find the provided auth token %q in config", authToken) if *logInvalidAuthTokens { + err := fmt.Errorf("cannot find the provided auth token %q in config", authToken) err = &httpserver.ErrorWithStatusCode{ Err: err, StatusCode: http.StatusUnauthorized, } httpserver.Errorf(w, r, "%s", err) } else { - http.Error(w, err.Error(), http.StatusUnauthorized) + http.Error(w, "Unauthorized", http.StatusUnauthorized) } return true } diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 34199c2d9..28bf3c714 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -75,6 +75,7 @@ The following tip changes can be tested by building VictoriaMetrics components f * BUGFIX: [vmalert](https://docs.victoriametrics.com/vmalert.html): retry failed read request on the closed connection one more time. This improves rules execution reliability when connection between vmalert and datasource closes unexpectedly. * BUGFIX: [vmalert](https://docs.victoriametrics.com/vmalert.html): properly display an error when using `query` function for templating value of `-external.alert.source` flag. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4181). * BUGFIX: [vmalert](https://docs.victoriametrics.com/vmalert.html): properly return empty slices instead of nil for `/api/v1/rules` and `/api/v1/alerts` API handlers. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4221). +* BUGFIX: [vmauth](https://docs.victoriametrics.com/vmauth.html): do not return invalid auth credentials in http response by default, since it may be logged by client. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4188). * BUGFIX: [vmui](https://docs.victoriametrics.com/#vmui): fix the display of the tenant selector. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4160). * BUGFIX: [vmui](https://docs.victoriametrics.com/#vmui): fix UI freeze when the query returns non-histogram series alongside histogram series. * BUGFIX: [vmui](https://docs.victoriametrics.com/#vmui): fix the text display on buttons in Safari 16.4.