Hide Auth information in replication document for reader

  - don't display credential information for user who
  just wants to check replication status. In basic authentication,
  the credential information is available in header field of doc

1 files changed, 31 insertions, 1 deletions

diff --git a/src/couch_replicator/src/couch_replicator_docs.erl b/src/couch_replicator/src/couch_replicator_docs.erl
index 6666cba53..1fe91eca4 100644
--- a/src/couch_replicator/src/couch_replicator_docs.erl
+++ b/src/couch_replicator/src/couch_replicator_docs.erl
@@ -695,7 +695,8 @@ strip_credentials(Url) when is_binary(Url) ->
         "http\\1://\\2",
         [{return, binary}]);
 strip_credentials({Props}) ->
-    {lists:keydelete(<<"oauth">>, 1, Props)}.
+    Props1 = lists:keydelete(<<"oauth">>, 1, Props),
+    {lists:keydelete(<<"headers">>, 1, Props1)}.
 
 
 error_reason({shutdown, Error}) ->
@@ -761,4 +762,33 @@ check_convert_options_fail_test() ->
     ?assertThrow({bad_request, _},
         convert_options([{<<"selector">>, [{key, value}]}])).
 
+check_strip_credentials_test() ->
+    [?assertEqual(Expected, strip_credentials(Body)) || {Expected, Body} <- [
+        {
+            undefined,
+            undefined
+        },
+        {
+            <<"https://remote_server/database">>,
+            <<"https://foo:bar@remote_server/database">>
+        },
+        {
+            {[{<<"_id">>, <<"foo">>}]},
+            {[{<<"_id">>, <<"foo">>}, {<<"oauth">>, <<"bar">>}]}
+        },
+        {
+            {[{<<"_id">>, <<"foo">>}]},
+            {[{<<"_id">>, <<"foo">>}, {<<"headers">>, <<"bar">>}]}
+        },
+        {
+            {[{<<"_id">>, <<"foo">>}, {<<"other">>, <<"bar">>}]},
+            {[{<<"_id">>, <<"foo">>}, {<<"other">>, <<"bar">>}]}
+        },
+        {
+            {[{<<"_id">>, <<"foo">>}]},
+            {[{<<"_id">>, <<"foo">>}, {<<"oauth">>, <<"bar">>},
+                {<<"headers">>, <<"baz">>}]}
+        }
+    ]].
+
 -endif.