globocom / aio-alf Goto Github PK

Hello,

when turning on debugging, aioalf logs the Authorization header of the request, thus disclosing private credentials.

I would like to suggest that such header is filtered before logging so credentials are not exposed (this is a security best practice).

For example, one could log the first 5 and last 2 characters of the token, something like:

DEBUG:aioalf.client:Header Authorization: Bearer abcde<...>fg

This happens in both the client and the manager:

I may be able to submit a PR if you are willing to take it.

Thanks

Hello,

line 79 in manager.py initializes a TokenError object with the wrong number of arguments, resulting in an unhelpful TypeError: __init__() takes 2 positional arguments but 3 were given exception.

I think a viable solution would be to use something like

raise TokenError('Missing credentials (client_id:client_secret), {}'.format(e))

Many thanks

Hello,

thanks for creating aio-alf.

I have noticed that there is no way for TokenManager to send the scope[1] parameter in its token request:

Specifying the scopes is quite useful and I was wondering whether this functionality could be added to the library.

As a (quite ugly) workaround, I have overridden the _request_token method in a custom token manager class and using it in a custom subclass of Client.

What do you think about optionally passing the scopes to the Client so it can forward them to its token manager?

Many thanks

[1] https://tools.ietf.org/html/rfc6749#section-3.3