When logs are a DEBUG level we can observe user password in logs.

[kjonca]

Current Behavior

During testing openvpn-auth-oauth2 I found that when in DEBUG mode it can put user password to logs.
Although this may not be major issue, this still the posibility that user send its "real" password when debgugging.

Expected Behavior

Password should be masked or (if we need to verify it) some kind of hash function (sha256?) should be applied.

Steps To Reproduce

1. set DEBUG logs for  openvpn-auth-oauth2
2. client should be configured with 
`<auth-user-pass>
dummy
dummy
</auth-user-pass>`
not with certificates
3. observe logs

Environment

• openvpn-auth-oauth2 Version: commit 1dc2a22
• OpenVPN Server Version: OpenVPN 2.6.12 x86_64-pc-linux-gnu
• Server OS: linux
• OpenVPN Client (flavor, OS): tested on windows and linux
• OIDC Provider: Microsoft

openvpn-auth-oauth2 logs

`[...]openvpn-auth-oauth2[8852]: time=2025-02-12T05:52:57.209Z level=DEBUG msg=">CLIENT:CONNECT,35060,1\r\n>CLIENT:ENV,n_clients=0\r\n>CLIENT:ENV,password=dummy\r\n>CLIENT:ENV,untrusted_port=27916\r\n>CLIENT:ENV,untrusted_ip=31.61
.233.222\r\n>CLIENT:ENV,username=dummy\r\n>CLIENT:ENV,IV_SSO=openurl,webauth,crtext\r\n[...]`
(unimportant things redacted)

openvpn server logs

Anything else?

No response

Preflight Checklist

• I could not find a solution in the documentation,
  the FAQ, the existing issues or discussions.

[jkroepke]

Actually, it is a major issue. thanks for the report.