Merge 52794ba783 into 65037b086c

providers/internal_util.go

@@ -71,12 +71,12 @@ func validateToken(ctx context.Context, p Provider, accessToken string, header h
 		return false
 	}
 
-	logger.Printf("%d GET %s %s", result.StatusCode(), stripToken(endpoint), result.Body())
+	logger.Printf("%d GET %s", result.StatusCode(), stripToken(endpoint))
 
 	if result.StatusCode() == 200 {
 		return true
 	}
-	logger.Errorf("token validation request failed: status %d - %s", result.StatusCode(), result.Body())
+	logger.Errorf("token validation request failed: status %d", result.StatusCode())
 	return false
 }
 

providers/internal_util_test.go

@@ -1,14 +1,17 @@
 package providers
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"testing"
 
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -139,6 +142,25 @@ func TestValidateSessionValidateURLWithQueryParams(t *testing.T) {
 	assert.Equal(t, true, validateToken(context.Background(), vtTest.provider, "foobar", nil))
 }
 
+func TestValidateTokenDoesNotLogResponseBody(t *testing.T) {
+	vtTest := NewValidateSessionTest()
+	defer vtTest.Close()
+	vtTest.responseCode = 401
+
+	var buf bytes.Buffer
+	logger.SetOutput(&buf)
+	defer logger.SetOutput(os.Stdout)
+
+	validateToken(context.Background(), vtTest.provider, "foobar", nil)
+
+	output := buf.String()
+	// Response body from the test server is "only code matters; contents disregarded"
+	assert.NotContains(t, output, "only code matters")
+	assert.NotContains(t, output, "contents disregarded")
+	// But we should still see the status code logged
+	assert.Contains(t, output, "401")
+}
+
 func TestStripTokenNotPresent(t *testing.T) {
 	test := "http://local.test/api/test?a=1&b=2"
 	assert.Equal(t, test, stripToken(test))