Obfuscate password in credentials debug messages (#12944)

I noticed in the trace output that we weren't obfuscating the `Credentials` password in a trace message. This PR creates a `Password` newtype with a custom `Debug` implementation.
2025-04-19 00:01:11 +02:00 · 2025-04-19 00:01:11 +02:00 · ea16fe28b6
parent 41ac6649d7
commit ea16fe28b6
1 changed files with 39 additions and 9 deletions
--- a/crates/uv-auth/src/credentials.rs
+++ b/crates/uv-auth/src/credentials.rs
@ -2,6 +2,7 @@ use base64::prelude::BASE64_STANDARD;
 use base64::read::DecoderReader;
 use base64::write::EncoderWriter;
 use std::borrow::Cow;
+use std::fmt;

 use netrc::Netrc;
 use reqwest::header::HeaderValue;
@ -18,7 +19,7 @@ pub enum Credentials {
        /// The username to use for authentication.
        username: Username,
        /// The password to use for authentication.
-        password: Option<String>,
+        password: Option<Password>,
    },
    Bearer {
        /// The token to use for authentication.
@ -67,13 +68,28 @@ impl From<Option<String>> for Username {
    }
 }

+#[derive(Clone, PartialEq, Eq, Ord, PartialOrd, Hash, Default)]
+pub struct Password(String);
+
+impl Password {
+    pub fn as_str(&self) -> &str {
+        self.0.as_str()
+    }
+}
+
+impl fmt::Debug for Password {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "****")
+    }
+}
+
 impl Credentials {
    /// Create a set of HTTP Basic Authentication credentials.
    #[allow(dead_code)]
    pub fn basic(username: Option<String>, password: Option<String>) -> Self {
        Self::Basic {
            username: Username::new(username),
-            password,
+            password: password.map(Password),
        }
    }

@ -106,7 +122,7 @@ impl Credentials {

    pub fn password(&self) -> Option<&str> {
        match self {
-            Self::Basic { password, .. } => password.as_deref(),
+            Self::Basic { password, .. } => password.as_ref().map(Password::as_str),
            Self::Bearer { .. } => None,
        }
    }
@ -135,7 +151,7 @@ impl Credentials {

        Some(Credentials::Basic {
            username: Username::new(Some(entry.login.clone())),
-            password: Some(entry.password.clone()),
+            password: Some(Password(entry.password.clone())),
        })
    }

@ -161,10 +177,12 @@ impl Credentials {
            }
            .into(),
            password: url.password().map(|password| {
-                percent_encoding::percent_decode_str(password)
-                    .decode_utf8()
-                    .expect("An encoded password should always decode")
-                    .into_owned()
+                Password(
+                    percent_encoding::percent_decode_str(password)
+                        .decode_utf8()
+                        .expect("An encoded password should always decode")
+                        .into_owned(),
+                )
            }),
        })
    }
@ -228,7 +246,7 @@ impl Credentials {
            };
            return Some(Self::Basic {
                username: Username::new(username),
-                password,
+                password: password.map(Password),
            });
        }

@ -407,4 +425,16 @@ mod tests {
        assert_debug_snapshot!(header, @r###""Basic dXNlcjpwYXNzd29yZD09""###);
        assert_eq!(Credentials::from_header_value(&header), Some(credentials));
    }
+
+    // Test that we don't include the password in debug messages.
+    #[test]
+    fn test_password_obfuscation() {
+        let credentials =
+            Credentials::basic(Some(String::from("user")), Some(String::from("password")));
+        let debugged = format!("{credentials:?}");
+        assert_eq!(
+            debugged,
+            "Basic { username: Username(Some(\"user\")), password: Some(****) }"
+        );
+    }
 }