Merge pull request #36 from avinassh/19-auth-url

Remove sensitive data from the url before using
tursodatabase · Aug 3, 2023 · b6fb975 · b6fb975
2 parents 89b92ea + 6d545a6
commit b6fb975
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 5 deletions.
diff --git a/src/hrana.rs b/src/hrana.rs
@@ -4,7 +4,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 use std::sync::RwLock;
 
-use crate::{BatchResult, ResultSet, Statement};
+use crate::{utils, BatchResult, ResultSet, Statement};
 
 /// Database client. This is the main structure used to
 /// communicate with the database.
@@ -77,18 +77,18 @@ impl Client {
     where
         <T as TryInto<url::Url>>::Error: std::fmt::Display,
     {
-        let url: url::Url = url
+        let mut url: url::Url = url
             .try_into()
             .map_err(|e| anyhow::anyhow!(format!("{e}")))?;
+        // remove the auth token from the URL so that it doesn't get logged anywhere
+        let token = utils::pop_query_param(&mut url, "authToken".to_string());
         let url_str = if url.scheme() == "libsql" {
             let new_url = format!("wss://{}", url.as_str().strip_prefix("libsql://").unwrap());
             url::Url::parse(&new_url).unwrap().to_string()
         } else {
             url.to_string()
         };
-        let mut params = url.query_pairs();
-        // Try a authToken=XXX parameter first, continue if not found
-        if let Some((_, token)) = params.find(|(param_key, _)| param_key == "authToken") {
+        if let Some(token) = token {
             Client::new(url_str, token).await
         } else {
             Client::new(url_str, "").await

diff --git a/src/lib.rs b/src/lib.rs
@@ -166,6 +166,7 @@ pub mod spin;
 
 #[cfg(feature = "hrana_backend")]
 pub mod hrana;
+mod utils;
 
 /// A macro for passing parameters to statements without having to manually
 /// define their types.

diff --git a/src/utils.rs b/src/utils.rs
@@ -0,0 +1,44 @@
+use url::Url;
+
+pub(crate) fn pop_query_param(url: &mut Url, param: String) -> Option<String> {
+    let mut pairs: Vec<_> = url
+        .query_pairs()
+        .map(|(k, v)| (k.into_owned(), v.into_owned()))
+        .collect();
+
+    let value = pairs
+        .iter()
+        .position(|(key, _)| key.eq(param.as_str()))
+        .map(|idx| pairs.swap_remove(idx).1);
+
+    url.query_pairs_mut()
+        .clear()
+        .extend_pairs(pairs.iter().map(|(k, v)| (k.as_str(), v.as_str())));
+
+    value
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use url::Url;
+
+    #[test]
+    fn test_pop_query_param_existing() {
+        let mut url = Url::parse("http://turso.io/?super=yes&sqld=yo").unwrap();
+        let param = "sqld".to_string();
+        let result = pop_query_param(&mut url, param.clone());
+        assert_eq!(result, Some("yo".to_string()));
+        assert_eq!(url.query_pairs().count(), 1);
+        assert_eq!(url.query_pairs().find(|(key, _)| key == &param), None);
+    }
+
+    #[test]
+    fn test_pop_query_param_not_existing() {
+        let mut url = Url::parse("http://turso.io/?super=yes&sqld=yo").unwrap();
+        let param = "ohno".to_string();
+        let result = pop_query_param(&mut url, param.clone());
+        assert_eq!(result, None);
+        assert_eq!(url.as_str(), "http://turso.io/?super=yes&sqld=yo");
+    }
+}