Should make use of SecretStr for any Token or Password fields

Question

Should make use of SecretStr for any Token or Password fields

sammaphey opened this issue 2 years ago · 3 comments

To avoid logging tokens or passwords accidentally pydantic provides a nice SecretStr model as a way to reduce these issues.

Can change instances like:

class Token(BaseModel):
    access_token: str
    refresh_token: Optional[str] = None
    token_type: str

to

from pydantic import SecretStr

class Token(BaseModel):
    access_token: SecretStr
    refresh_token: Optional[SecretStr] = None
    token_type: str

Answer 1 · 2024-02-05T20:15:34.000Z

Thanks for providing this suggestion! We've gone ahead and created a JIRA ticket for this change to track this issue.

Feel free to provide a contribution as well, and we will happily review it. :)

Answer 2 · 2024-04-02T20:47:15.000Z

If SecretStr is used on the Token model how could we use the Oauth2 login workflow then ? The method login_with_oauth2 would output:

{'access_token': '*******',
'refresh_token': '********',
'token_type': 'bearer'}`

so, how can we use the access token to access other API endpoints ? If I misunderstood something could you explain what I’m doing wrong.

Answer 3 · 2024-04-14T01:20:46.000Z

@FlorianEisenbarth you aren't wrong , with the use of secretstr, the Oauth2 login workflow wouldn't work as expected as the authorization headers would be in '*******'. I think the only workaround would be to create a new base model that wont type it field with secretstr