From da20e6668be87d3699148faf8c15b2ca484a1ab9 Mon Sep 17 00:00:00 2001
From: James Phillips <james@hashicorp.com>
Date: Wed, 11 Nov 2015 22:54:55 -0800
Subject: [PATCH] Adds a note about obfuscating query name/ID from the logs.

---
 command/agent/http.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/command/agent/http.go b/command/agent/http.go
index 04d0e76192..9828444d8f 100644
--- a/command/agent/http.go
+++ b/command/agent/http.go
@@ -310,6 +310,15 @@ func (s *HTTPServer) wrap(handler func(resp http.ResponseWriter, req *http.Reque
 			}
 		}
 
+		// TODO (slackpad) We may want to consider redacting prepared
+		// query names/IDs here since they are proxies for tokens. But,
+		// knowing one only gives you read access to service listings
+		// which is pretty trivial, so it's probably not worth the code
+		// complexity and overhead of filtering them out. You can't
+		// recover the token it's a proxy for with just the query info;
+		// you'd need the actual token (or a management token) to read
+		// that back.
+
 		// Invoke the handler
 		start := time.Now()
 		defer func() {