From 899a5a32cd478372b4006a5456b20bb2e384860b Mon Sep 17 00:00:00 2001
From: SimFG <bang.fu@zilliz.com>
Date: Wed, 15 Nov 2023 14:40:26 +0800
Subject: [PATCH] Hide the password info when failing to authorize (#28428)

/kind improvement

Signed-off-by: SimFG <bang.fu@zilliz.com>
---
 internal/proxy/authentication_interceptor.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/proxy/authentication_interceptor.go b/internal/proxy/authentication_interceptor.go
index bfd3962a428dc..e2a0a24291ea2 100644
--- a/internal/proxy/authentication_interceptor.go
+++ b/internal/proxy/authentication_interceptor.go
@@ -62,7 +62,7 @@ func AuthenticationInterceptor(ctx context.Context) (context.Context, error) {
 
 			if len(authStrArr) < 1 {
 				log.Warn("key not found in header")
-				return nil, merr.WrapErrParameterInvalidMsg("missing authorization in header")
+				return nil, status.Error(codes.Unauthenticated, "missing authorization in header")
 			}
 
 			// token format: base64<username:password>
@@ -71,14 +71,14 @@ func AuthenticationInterceptor(ctx context.Context) (context.Context, error) {
 			rawToken, err := crypto.Base64Decode(token)
 			if err != nil {
 				log.Warn("fail to decode the token", zap.Error(err))
-				return nil, merr.WrapErrParameterInvalidMsg("invalid token format")
+				return nil, status.Error(codes.Unauthenticated, "invalid token format")
 			}
 
 			if !strings.Contains(rawToken, util.CredentialSeperator) {
 				user, err := VerifyAPIKey(rawToken)
 				if err != nil {
 					log.Warn("fail to verify apikey", zap.Error(err))
-					return nil, err
+					return nil, status.Error(codes.Unauthenticated, "auth check failure, please check api key is correct")
 				}
 				metrics.UserRPCCounter.WithLabelValues(user).Inc()
 				userToken := fmt.Sprintf("%s%s%s", user, util.CredentialSeperator, "___")
@@ -88,8 +88,9 @@ func AuthenticationInterceptor(ctx context.Context) (context.Context, error) {
 				// username+password authentication
 				username, password := parseMD(rawToken)
 				if !passwordVerify(ctx, username, password, globalMetaCache) {
+					log.Warn("fail to verify password", zap.String("username", username))
 					// NOTE: don't use the merr, because it will cause the wrong retry behavior in the sdk
-					return nil, status.Errorf(codes.Unauthenticated, "auth check failure, please check username [%s] and password [%s] are correct", username, password)
+					return nil, status.Error(codes.Unauthenticated, "auth check failure, please check username and password are correct")
 				}
 				metrics.UserRPCCounter.WithLabelValues(username).Inc()
 			}