Skip to content

fix: redact and zero out plaintext SASL credentials after handshake#350

Open
suchitd wants to merge 1 commit into
mainfrom
fix/sasl-creds-exported
Open

fix: redact and zero out plaintext SASL credentials after handshake#350
suchitd wants to merge 1 commit into
mainfrom
fix/sasl-creds-exported

Conversation

@suchitd

@suchitd suchitd commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

  • Implement fmt.Stringer on PlainAuth and AMQPlainAuth to redact passwords from logs, reflection, or APM dumps.
  • Zero out credentials in Connection.Config.SASL after a successful handshake in openComplete().
  • Extract SASL setup from connection URIs into a new helper method Config.setSASL(uri URI).
  • Reset and reinitialize SASL credentials from the connection recovery URL (c.url) in Reconnect() to ensure automatic reconnection succeeds after the previous connection's credentials were zeroed out.
  • Add comprehensive unit tests in auth_test.go and connection_unit_test.go verifying redacting, zeroing, and recovery restoration of credentials.

Types of Changes

  • Bugfix
  • New feature
  • Breaking change
  • Documentation
  • Cosmetics

Checklist

  • I have read the CONTRIBUTING.md document
  • All tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@suchitd
fix: redact and zero out plaintext SASL credentials after handshake
0253bfc 
- Implement `fmt.Stringer` on `PlainAuth` and `AMQPlainAuth` to redact passwords from logs, reflection, or APM dumps.
- Zero out credentials in `Connection.Config.SASL` after a successful handshake in `openComplete()`.
- Extract SASL setup from connection URIs into a new helper method `Config.setSASL(uri URI)`.
- Reset and reinitialize SASL credentials from the connection recovery URL (`c.url`) in `Reconnect()` to ensure automatic reconnection succeeds after the previous connection's credentials were zeroed out.
- Add comprehensive unit tests in `auth_test.go` and `connection_unit_test.go` verifying redacting, zeroing, and recovery restoration of credentials.
@suchitd suchitd force-pushed the fix/sasl-creds-exported branch from 63e05ab to 0253bfc Compare June 17, 2026 11:17
@suchitd suchitd self-assigned this Jun 17, 2026
@suchitd suchitd added the bug Something isn't working label Jun 17, 2026
@suchitd suchitd added this to the 1.13.0 milestone Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MirahImage MirahImage MirahImage approved these changes

@Gsantomaggio Gsantomaggio Awaiting requested review from Gsantomaggio

@Zerpet Zerpet Awaiting requested review from Zerpet

Assignees

@suchitd suchitd

Labels

bug Something isn't working

Projects

None yet

Milestone

1.13.0

Development

Successfully merging this pull request may close these issues.

2 participants

@suchitd @MirahImage