New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
With debug mode on, session token may be logged #869
Comments
Hm, it's not printing the token in the buffer or logs for me. After registering and reloading it just says:
What does it say for you? I agree that it would be better to support secure variables in the register command so it wasn't stored in plain text in |
I see. The token is not logged by default. It is logged if debug mode is on at a low level (I have tried with level
Yes, please! |
Even with Can you post what it logs for you (with the tokens censored)? |
Ah, it's only when I set |
Right if you set it manually as described in the readme, without using |
As far as I understand,
\slack register
always writes the token in plain text intoplugins.var.python.slack.slack_api_token
. The token can be subsequently secured as explained in the Readme, but, after that, the token remains fully accessible in plain text inlogs/core.weechat.weechatlog
and partially accessible inlogs/python.slack.<some>-workspace.weechatlog
.The Readme should instruct the user to delete the logs after securing the token. Even better, though, would be if wee-slack (or WeeChat?) didn't log any sensitive information to begin with.
Edit: the session token is not logged by default (good!). It is logged when debug mode is on and the debug level is low enough.
The text was updated successfully, but these errors were encountered: