Move user credentials into HTTP request headers to prevent them being logged in the server logs

2026-06-24 05:35:10 +00:00 · 2026-06-20 10:15:35 +01:00
parent ae17839096
commit e08a183d1b
13 changed files with 58 additions and 77 deletions
--- a/server/handlers/api/lookups.py
+++ b/server/handlers/api/lookups.py
@@ -47,7 +47,7 @@ class APILookupCallHandler(tornado.web.RequestHandler):
                if re.match(r"^[A-Z0-9/\-]*$", call):
                    # Take the callsign, make a "fake spot" so we can run infer_missing() on it, then repack the
                    # resulting data in the correct way for the API response.
-                    credentials = extract_credentials(query_params)
+                    credentials = extract_credentials(self.request.headers)
                    fake_spot = Spot(dx_call=call)
                    fake_spot.infer_missing(credentials)
                    data = {