From ec501dfee9fe615767d7d139d7237bb8f9932c16 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Tue, 7 Sep 2021 13:21:40 -0700
Subject: [PATCH] Make sure passwords aren't exposed in error reporting

---
 bookwyrm/views/login.py    | 5 ++++-
 bookwyrm/views/register.py | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/bookwyrm/views/login.py b/bookwyrm/views/login.py
index b213590f..1ca65f2f 100644
--- a/bookwyrm/views/login.py
+++ b/bookwyrm/views/login.py
@@ -6,8 +6,9 @@ from django.template.response import TemplateResponse
 from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.utils.translation import gettext_lazy as _
-from django.views.decorators.csrf import csrf_exempt
 from django.views import View
+from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
 
 from bookwyrm import forms, models
 from bookwyrm.settings import DOMAIN
@@ -30,6 +31,8 @@ class Login(View):
         }
         return TemplateResponse(request, "login.html", data)
 
+    @sensitive_variables("password")
+    @sensitive_post_parameters("password")
     def post(self, request):
         """authentication action"""
         if request.user.is_authenticated:
diff --git a/bookwyrm/views/register.py b/bookwyrm/views/register.py
index 334b2968..1ffa16ec 100644
--- a/bookwyrm/views/register.py
+++ b/bookwyrm/views/register.py
@@ -3,8 +3,9 @@ from django.contrib.auth import login
 from django.core.exceptions import PermissionDenied
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
-from django.views.decorators.http import require_POST
 from django.views import View
+from django.views.decorators.http import require_POST
+from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
 
 from bookwyrm import emailing, forms, models
 from bookwyrm.settings import DOMAIN
@@ -14,6 +15,8 @@ from bookwyrm.settings import DOMAIN
 class Register(View):
     """register a user"""
 
+    @sensitive_variables("password")
+    @sensitive_post_parameters("password")
     def post(self, request):
         """join the server"""
         settings = models.SiteSettings.get()