gilles/Strix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix credentials leaking in debug logs (#4)

Browse Source 
Add a secret-masking slog.Handler that automatically replaces registered
passwords with "***" in all log output. Secrets are registered per-scan
when a discovery request arrives and unregistered when it completes.

This approach masks credentials everywhere they appear in logs — URL
userinfo, query parameters, path segments, and Go HTTP error messages —
without modifying any business logic in scanner, builder, tester, or
ONVIF components. API responses are unaffected and still return full
URLs with credentials for frontend use.
This commit is contained in:
eduard256
2026-03-20 11:03:01 +00:00
parent e269e243da
commit 8cf05a1576
7 changed files with 422 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/api/routes.go
+5 -1
View File
@@ -10,6 +10,7 @@ import (
"github.com/eduard256/Strix/internal/camera/discovery"
"github.com/eduard256/Strix/internal/camera/stream"
"github.com/eduard256/Strix/internal/config"
logutil "github.com/eduard256/Strix/internal/utils/logger"
"github.com/eduard256/Strix/pkg/sse"
)
@@ -22,12 +23,14 @@ type Server struct {
scanner *discovery.Scanner
probeService *discovery.ProbeService
sseServer *sse.Server
secrets *logutil.SecretStore
logger interface{ Debug(string, ...any); Error(string, error, ...any); Info(string, ...any) }
}
// NewServer creates a new API server
func NewServer(
cfg *config.Config,
secrets *logutil.SecretStore,
logger interface{ Debug(string, ...any); Error(string, error, ...any); Info(string, ...any) },
) (*Server, error) {
// Initialize database loader
@@ -102,6 +105,7 @@ func NewServer(
scanner: scanner,
probeService: probeService,
sseServer: sseServer,
secrets: secrets,
logger: logger,
}
@@ -147,7 +151,7 @@ func (s *Server) setupRoutes() {
s.router.Post("/cameras/search", handlers.NewSearchHandler(s.searchEngine, s.logger).ServeHTTP)
// Stream discovery (SSE)
s.router.Post("/streams/discover", handlers.NewDiscoverHandler(s.scanner, s.sseServer, s.logger).ServeHTTP)
s.router.Post("/streams/discover", handlers.NewDiscoverHandler(s.scanner, s.sseServer, s.secrets, s.logger).ServeHTTP)
// Device probe (ping + DNS + ARP/OUI + mDNS)
s.router.Get("/probe", handlers.NewProbeHandler(s.probeService, s.logger).ServeHTTP)