[bug] Displays proxy endpoint credentials in log output

[matsuev]

Once the proxy endpoint is created, Centrifugo displays a connection string with the user credentials in the log output:

2024-09-09 01:59:21 [INF] RPC proxy enabled endpoint=https://user:password@localhost:8080/rpc

OR (if log in JSON format)

{"level":"info","endpoint":"https://user:password@localhost:8080/rpc","time":"2024-09-08T19:13:44Z","message":"RPC proxy enabled"}

This is a potential risk of leaking passwords for connecting to the application server.

Versions

Centrifugo version is <5.4.5>

Steps to Reproduce How can the bug be triggered?
In centrifugo config file:
{
...
"proxy_rpc_endpoint": "https://user:password@localhost:8080/rpc",
...
}

A quick solution might be like this
In main.go add function

func redactedUrl(endpoint string) string {
	if parsedUrl, err := url.Parse(endpoint); err != nil {
		return ""
	} else {
		return parsedUrl.Redacted()
	}
}

and replace any log code

// log.Info().Str("endpoint", rpcEndpoint).Msg("RPC proxy enabled")
log.Info().Str("endpoint", redactedUrl(rpcEndpoint)).Msg("RPC proxy enabled")

Then the log looks like this:
2024-09-09 03:39:13 [INF] RPC proxy enabled endpoint=https://user:xxxxx@localhost:8080/rpc

Patch to FIX log output:
https://github.com/matsuev/centrifugo/tree/fix-log-proxy-credentials

Refactored code to use proxy.Config Endpoint field as *url.URL:
https://github.com/matsuev/centrifugo/tree/refactor-proxy-config

[FZambia]

Hello @matsuev

Thanks for the report, you are right - need to strip out sensitive info before logging.

While it's not fixed - maybe consider using some reverse proxy between Centrifugo and your backend which adds basic auth.

[FZambia]

Fixed in #890 - will be part of the next release

[FZambia]

Fixed in https://github.com/centrifugal/centrifugo/releases/tag/v5.4.6