sourcegraph · jhchabran · Jan 5, 2023 · Jan 4, 2023 · Jan 5, 2023 · Jan 5, 2023
diff --git a/cmd/frontend/internal/httpapi/auth.go b/cmd/frontend/internal/httpapi/auth.go
@@ -1,8 +1,10 @@
 package httpapi
 
 import (
+	"crypto/md5"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"time"
 
@@ -43,9 +45,25 @@ func AccessTokenAuthMiddleware(db database.DB, logger log.Logger, next http.Hand
 			if err != nil {
 				if authz.IsUnrecognizedScheme(err) {
 					// Ignore Authorization headers that we don't handle.
+					// 🚨 SECURITY: md5sum the authorization header value so we redact it
+					// while still retaining the ability to link it back to a token, assuming
+					// the logs reader has the value in clear.
+					var redactedValue string
+					h := md5.New()
+					if _, err := io.WriteString(h, headerValue); err != nil {
+						redactedValue = "[REDACTED]"
+					} else {
+						redactedValue = fmt.Sprintf("md5sum:%x", h.Sum(nil))
+					}
+					// TODO: It is possible for the unrecognized header to be legitimate, in the case
+					// of a customer setting up a HTTP header based authentication and decide to still
+					// use the "Authorization" key.
+					//
+					// We should parse the configuration to see if that's the case and only log if it's
+					// not defined over there.
 					logger.Warn(
-						"ignoring unrecognized Authorization header",
-						log.String("value", headerValue),
+						"ignoring unrecognized Authorization header, passing it down to the next layer",
+						log.String("redacted_value", redactedValue),
 						log.Error(err),
 					)
 					next.ServeHTTP(w, r)