fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
@@ -105,3 +105,36 @@ func TestLoggerUsesForwardedClientIPFromTrustedProxy(t *testing.T) {
require.Equal(t, http.StatusOK, resp.Code)
require.Contains(t, logBuffer.String(), `"client_ip":"106.14.89.27"`)
}
func TestLoggerRedactsSensitiveQueryValues(t *testing.T) {
t.Parallel()
gin.SetMode(gin.TestMode)
var logBuffer bytes.Buffer
encoderConfig := zap.NewProductionEncoderConfig()
encoderConfig.TimeKey = ""
logger := zap.New(zapcore.NewCore(
zapcore.NewJSONEncoder(encoderConfig),
zapcore.AddSync(&logBuffer),
zapcore.DebugLevel,
))
router := gin.New()
router.Use(RequestID())
router.Use(Logger(logger))
router.GET("/test", func(c *gin.Context) {
c.Status(http.StatusOK)
})
req := httptest.NewRequest(http.MethodGet, "/test?password=secret&tab=cards&token=abc", nil)
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
require.Equal(t, http.StatusOK, resp.Code)
logLine := logBuffer.String()
require.Contains(t, logLine, `"query":"password=%5BREDACTED%5D&tab=cards&token=%5BREDACTED%5D"`)
require.NotContains(t, logLine, "secret")
require.NotContains(t, logLine, "token=abc")
}