From 939ab29d0499c5adfbc0d68655f1df1186b09c93 Mon Sep 17 00:00:00 2001
From: Stephane <stephane.meyer.dev@gmail.com>
Date: Fri, 27 Sep 2024 14:04:22 +0200
Subject: [PATCH] fix(xo-server/api): private data in api call (#8019)

---
 CHANGELOG.unreleased.md                  | 1 +
 packages/xo-server/src/xo-mixins/api.mjs | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.unreleased.md b/CHANGELOG.unreleased.md
index 1ab005e4bf6..fa7cfa69e25 100644
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -27,6 +27,7 @@
 > Users must be able to say: “I had this issue, happy to know it's fixed”
 
 - [REST API] Fix broken _Rolling Pool Update_ pool action [Forum#82867](https://xcp-ng.org/forum/post/82867)
+- [Logs] Fix private data in API call: password now obfuscated (PR [#8019](https://github.com/vatesfr/xen-orchestra/pull/8019))
 
 ### Packages to release
 
diff --git a/packages/xo-server/src/xo-mixins/api.mjs b/packages/xo-server/src/xo-mixins/api.mjs
index b49d55a09df..5233f025edb 100644
--- a/packages/xo-server/src/xo-mixins/api.mjs
+++ b/packages/xo-server/src/xo-mixins/api.mjs
@@ -398,10 +398,11 @@ export default class Api {
 
       const resolvedParams = await resolveParams.call(app, method, params)
 
+      // data.params contains obfuscated params
       let result = await (name in NO_LOG_METHODS
         ? method.call(app, resolvedParams)
         : app.tasks
-            .create({ name: 'API call: ' + name, method: name, params, type: 'api.call' }, { clearLogOnSuccess: true })
+            .create({ name: 'API call: ' + name, method: name, params: data.params, type: 'api.call' }, { clearLogOnSuccess: true })
             .run(() => method.call(app, resolvedParams)))
 
       // If nothing was returned, consider this operation a success