Bug:Misleading log and secret been exposed in logs #3056
Description
What were you trying to achieve?
file supermq/mqtt/handler.go
at line 33:
LogInfoDisconnected = "disconnected client_id %s and username %s"
meaning the id and username should be logged,
at line 217
h.logger.Info(fmt.Sprintf(LogInfoDisconnected, s.ID, s.Password))
we are passing the s.Password(client_secret) instead of s.Username
What are the expected results?
logs
{"time":"2025-08-08T06:18:32.851805557Z","level":"INFO","msg":"disconnected client_id 8abe74aa-ca45-467d-8941-8a1696baca57-publisher and username 8abe74aa-ca45-467d-8941-8a1696baca57"}
where
client_id 8abe74aa-ca45-467d-8941-8a1696baca57-publisher and
username 8abe74aa-ca45-467d-8941-8a1696baca57
What are the received results?
logs
{"time":"2025-08-08T06:18:32.851805557Z","level":"INFO","msg":"disconnected client_id 8abe74aa-ca45-467d-8941-8a1696baca57-publisher and username b6fbc830-63b1-4a31-8d01-ac222d33516f"}
where
client_id 8abe74aa-ca45-467d-8941-8a1696baca57-publisher and
client_secret b6fbc830-63b1-4a31-8d01-ac222d33516f
Steps To Reproduce
- clone the supermq repository
- cd into supermq and use command make dockers to build all images
- cd into supermq/docker/ and use command docker compose up -d
- create user, domain, client, and channel and take client_id, client_secret, domain_id and channel_id
- use domain_id and channel_id as topic, and client_id and secret for auth.
- Use some mock framework to connected as a publisher.
In what environment did you encounter the issue?
i used the included docker compose environment and did everything in localhost using mqtt://localhost:1883
Additional information you deem important
This is my first time adding some issue to a open source project, and the solution to it is very simple, if possible can i get to solve this issue by getting assigned to it and start my open source contribution.
Metadata
Metadata
Assignees
Type
Projects
Status