-
-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pokbun API does not work, leaks secret key in debug logs #483
Comments
Thanks for the Analysis. |
Well, I have tried it now. It is not that simple:
Changing it to GET in porkbun.c gives me Here my changes up to now:
The complete file https://paste.debian.net/hidden/1c957794/ |
The error @henfri is because the Content-Length is not being calculated properly. I haven't gotten this to work, but here is a summary of what I found (including henfri's prior work):
|
I am running the latest head (7d576c4) and trying to update the DNS records of a domain whose DNS is managed by porkbun.
This config fails to update the DNS records:
Debug log error:
After looking into the code there seem to be a few issues with it:
Firstly, the example configuration seems to be wrong
When an API token is created with porkbun there does not seem to be a way to restrict its permissions. Also, an API token consists of both an API key and a Secret API Key: in the code the username and password are used for these respectively, but this is not reflected in the example. I have tried setting the username to my domain name, as in the example, but I get the same issue.
The code seems to use the wrong url for the porkbun API:
api.porkbun.com/client/v4
. The official documentation usesporkbun.com/api/json/v3/
- there is no API v4 as far as I can make out. I suspect this is the cause of the issue as thisapi.porkbun.com/client/v4
address does not seem to work using curl in the command line whileporkbun.com/api/json/v3/
does (although I haven't been able to reproduce exactly, I get stuck in a redirect loop rather than hitting a 404).Finally, with debug logging enabled, the code will print the secret API key when making a request. This should be censored or there should be a warning that debug logging can contain sensitive information.
The text was updated successfully, but these errors were encountered: