Remove API token from logs

[josecelano]

We are using a token query param for API authentication and we are logging the whole request URL.

2024-03-11T16:53:33.249051604+00:00 [API][INFO] request; method=GET uri=/api/v1/torrents?token=MyAccessToken&info_hash=2b66980093bc11806fab50cb3cb41835b95a0362 request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41
2024-03-11T16:53:33.249113794+00:00 [API][INFO] response; latency=0 status=200 OK request_id=d99df52a-dfb8-4608-9974-b4d9c445ee41

That means tokens are included in the logs.

We should hide those tokens with **** or change the way we pass the token. We could use an HTTP header like in the Index. I prefer the second option because other proxies could also log the URLs.

[josecelano]

Instead of removing the token from the logs we could add a new authentication method. We could use a bearer token authentication scheme. We are using it in the Index, so we only need to adapt that code:

https://github.com/torrust/torrust-index/blob/develop/src/web/api/server/v1/auth.rs

Maybe we can keep the GET param token for testing because it makes it easier to load API resources. However, I would remove it, we can use https://www.postman.com/ or curl.

[josecelano]

Hi @da2ce7 I think I will make an small improvement for now. I will allow to include the token not only via a URL param but also as a Authorization Header. I think that would require two small changes:

• In the server we prioritize the token in the header.
• In the client we always use the header to send the token.

Since we are planning big changes in APIs:

• API V2: new API with the correct response codes #144
• Alternatives to the Tracker REST API #1307

We can postpone to decide which method to use. Maybe It would be useful to have some kind of users also in the tracker and a more advance token generation:

• With granularity in permission
• With expiration date
• Etc.