Move user credentials into HTTP request headers to prevent them being logged in the server logs

2026-06-24 05:35:10 +00:00 · 2026-06-20 10:15:35 +01:00
parent ae17839096
commit e08a183d1b
13 changed files with 58 additions and 77 deletions
--- a/server/handlers/api/alerts.py
+++ b/server/handlers/api/alerts.py
@@ -53,7 +53,7 @@ class APIAlertsHandler(tornado.web.RequestHandler):
            query_params = {k: v[0].decode("utf-8") for k, v in self.request.arguments.items()}

            # Fetch all alerts matching the query, then optionally enrich with online data
-            credentials = extract_credentials(query_params)
+            credentials = extract_credentials(self.request.headers)
            data = get_alert_list_with_filters(self._alerts, query_params)
            if credentials:
                data = self._enrich(data, credentials)
@@ -104,7 +104,7 @@ class APIAlertsStreamHandler(tornado_eventsource.handler.EventSourceHandler):
            # request.arguments contains lists for each param key because technically the client can supply multiple,
            # reduce that to just the first entry, and convert bytes to string
            self._query_params = {k: v[0].decode("utf-8") for k, v in self.request.arguments.items()}
-            self._credentials = extract_credentials(self._query_params)
+            self._credentials = extract_credentials(self.request.headers)

            # Create a alert queue and add it to the web server's list. The web server will fill this when alerts arrive
            self._alert_queue = Queue(maxsize=SSE_HANDLER_MAX_QUEUE_SIZE)
--- a/server/handlers/api/lookups.py
+++ b/server/handlers/api/lookups.py
@@ -47,7 +47,7 @@ class APILookupCallHandler(tornado.web.RequestHandler):
                if re.match(r"^[A-Z0-9/\-]*$", call):
                    # Take the callsign, make a "fake spot" so we can run infer_missing() on it, then repack the
                    # resulting data in the correct way for the API response.
-                    credentials = extract_credentials(query_params)
+                    credentials = extract_credentials(self.request.headers)
                    fake_spot = Spot(dx_call=call)
                    fake_spot.infer_missing(credentials)
                    data = {
--- a/server/handlers/api/spots.py
+++ b/server/handlers/api/spots.py
@@ -53,7 +53,7 @@ class APISpotsHandler(tornado.web.RequestHandler):
            query_params = {k: v[0].decode("utf-8") for k, v in self.request.arguments.items()}

            # Fetch all spots matching the query, then optionally enrich with online data
-            credentials = extract_credentials(query_params)
+            credentials = extract_credentials(self.request.headers)
            data = get_spot_list_with_filters(self._spots, query_params)
            if credentials:
                data = self._enrich(data, credentials)
@@ -106,7 +106,7 @@ class APISpotsStreamHandler(tornado_eventsource.handler.EventSourceHandler):
            # request.arguments contains lists for each param key because technically the client can supply multiple,
            # reduce that to just the first entry, and convert bytes to string
            self._query_params = {k: v[0].decode("utf-8") for k, v in self.request.arguments.items()}
-            self._credentials = extract_credentials(self._query_params)
+            self._credentials = extract_credentials(self.request.headers)

            # Create a spot queue and add it to the web server's list. The web server will fill this when spots arrive
            self._spot_queue = Queue(maxsize=SSE_HANDLER_MAX_QUEUE_SIZE)