Comment 15 for bug 1321080
Revision history for this message
| gordon chung (chungg) wrote Re: auth token is exposed in meter http.request | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
so the leaked HTTP_X_AUTH_TOKEN value is the one in provided in curl command (i assume the description is using curl command and request object that aren't related)... it is not the admin_token defined in [filter:authtoken] configuration
you are correct that the leak happens only if notifier middleware is used after auth_token middleware (which it usually is)... by default the notifier middleware is not enabled in any service.