Mark passwords as sensitive variables #11652

archesproject · Nov 25, 2024 · f198214 · f198214
1 parent 06ed15a
commit f198214
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/arches/app/views/api/auth.py b/arches/app/views/api/auth.py
@@ -4,6 +4,7 @@
 from django.contrib.auth import authenticate, login, logout
 from django.utils.decorators import method_decorator
 from django.utils.translation import gettext as _
+from django.views.decorators.debug import sensitive_variables
 from django_ratelimit.decorators import ratelimit
 
 from arches.app.models.system_settings import settings
@@ -17,6 +18,7 @@ class Login(LoginView, APIBase):
 
     http_method_names = ["post"]
 
+    @sensitive_variables()
     @method_decorator(
         ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False)
     )

diff --git a/arches/app/views/auth.py b/arches/app/views/auth.py
@@ -19,7 +19,6 @@
 import base64
 import io
 
-from django.http import response
 from arches.app.utils.external_oauth_backend import ExternalOauthAuthenticationBackend
 import qrcode
 import pyotp
@@ -33,6 +32,7 @@
 from django.utils.decorators import method_decorator
 from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.debug import sensitive_variables
 from django.utils.html import strip_tags
 from django.utils.translation import gettext as _
 from django.utils.http import urlencode
@@ -87,6 +87,7 @@ def get(self, request):
                 },
             )
 
+    @sensitive_variables()
     @method_decorator(
         ratelimit(
             key="post:username",
@@ -369,6 +370,7 @@ def get(self, request):
         }
         return JSONResponse(messages)
 
+    @sensitive_variables()
     @method_decorator(ratelimit(key="user", rate=settings.RATE_LIMIT, block=False))
     def post(self, request):
         messages = {
@@ -425,6 +427,7 @@ class PasswordResetConfirmView(auth_views.PasswordResetConfirmView):
 
 @method_decorator(csrf_exempt, name="dispatch")
 class UserProfileView(View):
+    @sensitive_variables()
     @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
     def post(self, request):
         username = request.POST.get("username", None)
@@ -446,6 +449,7 @@ def post(self, request):
 
 @method_decorator(csrf_exempt, name="dispatch")
 class GetClientIdView(View):
+    @sensitive_variables()
     @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
     def post(self, request):
         if settings.OAUTH_CLIENT_ID == "":
@@ -465,6 +469,7 @@ def post(self, request):
 
 @method_decorator(csrf_exempt, name="dispatch")
 class ServerSettingView(View):
+    @sensitive_variables()
     @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
     def post(self, request):
         if settings.OAUTH_CLIENT_ID == "":
@@ -573,6 +578,7 @@ def post(self, request):
 
 @method_decorator(never_cache, name="dispatch")
 class TwoFactorAuthenticationLoginView(View):
+    @sensitive_variables()
     def post(self, request):
         username = request.POST.get("username", None)
         password = request.POST.get("password", None)
@@ -718,6 +724,7 @@ def post(self, request):
 
 @method_decorator(csrf_exempt, name="dispatch")
 class Token(View):
+    @sensitive_variables()
     def get(self, request):
         if settings.DEBUG:
             data = {

diff --git a/releases/8.0.0.md b/releases/8.0.0.md
@@ -20,6 +20,7 @@ Arches 8.0.0 Release Notes
 ### Additional highlights
 - Add session-based REST APIs for login, logout [#11261](https://github.com/archesproject/arches/issues/11261)
 - Add system check advising next action when enabling additional languages without updating graphs [#10079](https://github.com/archesproject/arches/issues/10079)
+- Auth views now filter out passwords from error reports when running in production [#11652](https://github.com/archesproject/arches/issues/11652)
 - Improve handling of longer model names [#11317](https://github.com/archesproject/arches/issues/11317)
 - Support more expressive plugin URLs [#11320](https://github.com/archesproject/arches/issues/11320)
 - Make node aliases not nullable [#10437](https://github.com/archesproject/arches/issues/10437)