Add option for logging secrets

If a secret key seed is provided in the environment, the gateway logs it in the clear. This commit gates that behavior on a new environment variable `LOG_SECRETS`, which is off by default.
divviup · May 7, 2024 · 17d3a61 · 17d3a61
1 parent 0a8325a
commit 17d3a61
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/main.go b/main.go
@@ -56,6 +56,7 @@ const (
 	monitoringServiceNameEnvironmentVariable = "MONITORING_SERVICE_NAME"
 	gatewayDebugEnvironmentVariable          = "GATEWAY_DEBUG"
 	gatewayVerboseEnvironmentVariable        = "VERBOSE"
+	logSecretsEnvironmentVariable            = "LOG_SECRETS"
 )
 
 type gatewayServer struct {
@@ -128,9 +129,15 @@ func main() {
 		port = defaultPort
 	}
 
+	logSecrets := getBoolEnv(logSecretsEnvironmentVariable, false)
+
 	var seed []byte
 	if seedHex := os.Getenv(secretSeedEnvironmentVariable); seedHex != "" {
-		log.Printf("Using Secret Key Seed : [%v]", seedHex)
+		if logSecrets {
+			log.Printf("Using Secret Key Seed: [%v]", seedHex)
+		} else {
+			log.Print("Using Secret Key Seed provided in environment variable")
+		}
 		var err error
 		seed, err = hex.DecodeString(seedHex)
 		if err != nil {