Fix credentials leaking in debug logs (#4)

Add a secret-masking slog.Handler that automatically replaces registered passwords with "***" in all log output. Secrets are registered per-scan when a discovery request arrives and unregistered when it completes. This approach masks credentials everywhere they appear in logs — URL userinfo, query parameters, path segments, and Go HTTP error messages — without modifying any business logic in scanner, builder, tester, or ONVIF components. API responses are unaffected and still return full URLs with credentials for frontend use.
2026-03-20 11:03:01 +00:00
parent e269e243da
commit 8cf05a1576
7 changed files with 422 additions and 9 deletions
@@ -45,11 +45,11 @@ func main() {
 	cfg.Version = Version

 	// Setup logger
-	slogger := cfg.SetupLogger()
+	slogger, secrets := cfg.SetupLogger()
 	slog.SetDefault(slogger)

 	// Create adapter for our interface
-	log := logger.NewAdapter(slogger)
+	log := logger.NewAdapter(slogger, secrets)

 	log.Info("starting Strix",
 		slog.String("version", Version),
@@ -63,7 +63,7 @@ func main() {
 	}

 	// Create API server
-	apiServer, err := api.NewServer(cfg, log)
+	apiServer, err := api.NewServer(cfg, secrets, log)
 	if err != nil {
 		log.Error("failed to create API server", err)
 		os.Exit(1)