Is it possible to print the token in the log?

What is the problem you are having with rclone?

I'm having trouble diagnosing a Google API error because I can't tell which Drive user is performing a failing operation.

Run the command 'rclone version' and share the full output of the command.

rclone v1.64.0
- os/version: Microsoft Windows Server 2019 Datacenter 1809 (64 bit)
- os/kernel: 10.0.17763.4737 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.21.1
- go/linking: static
- go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

Google Drive (source and target)

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone: Version "v1.64.0" starting with parameters ["C:\\Users\\Administrator\\Documents\\PowerShell\\Modules\\TMCTools\\bin\\rclone.exe" "move" "--check-first" "--config" "C:\\ProgramData\\Transend\\tools\\logs\\Move-GOSharedDrives_20230915_141300\\Test Migration Drive.conf" "--log-file" "C:\\ProgramData\\Transend\\tools\\logs\\Move-GOSharedDrives_20230915_141300\\Test Migration Drive.log" "--order-by" "size,mixed" "--retries" "1" "--stats" "5s" "--stats-one-line-date" "--update" "--user-agent" "ISV|Transend Corporation|TMCTools/1.0" "--log-level" "DEBUG" "--dump" "bodies" "--server-side-across-configs" "--drive-skip-dangling-shortcuts" "--drive-skip-shortcuts" "--create-empty-src-dirs" "Source:" "Target:"]

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[Source]
type = drive
scope = drive
service_account_file = C:\ProgramData\Transend\tools\source.json
impersonate = XXXX
team_drive = XXXX

[Target]
type = drive
scope = drive
service_account_file = C:\ProgramData\Transend\tools\target.json
impersonate = XXXX
team_drive = XXXX

A log from the command that you were trying to run with the -vv flag

2023/09/15 14:13:05 DEBUG : HTTP REQUEST (req 0xc000af6200)
2023/09/15 14:13:05 DEBUG : PATCH /drive/v3/files/XXXX?addParents=XXXX&alt=json&fields=id%2Cname%2Csize%2Cmd5Checksum%2Ctrashed%2CexplicitlyTrashed%2CmodifiedTime%2CcreatedTime%2CmimeType%2Cparents%2CwebViewLink%2CshortcutDetails%2CexportLinks%2CresourceKey&prettyPrint=false&removeParents=XXXX&supportsAllDrives=true HTTP/1.1
Host: www.googleapis.com
User-Agent: ISV|Transend Corporation|TMCTools/1.0
Content-Length: 111
Authorization: XXXX
Content-Type: application/json
X-Goog-Api-Client: gl-go/1.21.1 gdcl/0.134.0
Accept-Encoding: gzip

{"description":"TestVideoFile.mp4","modifiedTime":"2023-09-05T19:33:48.306000000Z","name":"TestVideoFile.mp4"}

2023/09/15 14:13:05 DEBUG : HTTP RESPONSE (req 0xc000af6200)
2023/09/15 14:13:05 DEBUG : HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: private, max-age=0
Content-Type: application/json; charset=UTF-8
Date: Fri, 15 Sep 2023 21:13:05 GMT
Expires: Fri, 15 Sep 2023 21:13:05 GMT
Server: ESF
Vary: Origin, X-Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

ff
{
  "error": {
    "code": 400,
    "message": "Bad Request. User message: \"\"",
    "errors": [
      {
        "message": "Bad Request. User message: \"\"",
        "domain": "global",
        "reason": "crossDomainMoveRestriction"
      }
    ]
  }
}

While I am troubleshooting the specific crossDomainMoveRestriction error, this issue is more general. Since the log shows Authorization: XXXX, I cannot match the token used in the failing request to the tokens retrieved at the beginning of the operation, both of which are in plaintext in the log. Given that, I don't see how I can determine which impersonated user is making the API call that fails so that I can narrow my troubleshooting.

It's probably obvious from the use case, but I'll add that the actual token string isn't particularly necessary. Instead of Authorization: XXXX, it would be helpful to print Authorization: Source and Authorization: Target or something similar. I will add that if not leaking the token in the log is important, it should also be omitted from the response, which currently logs it. For example:

2023/09/15 14:13:04 DEBUG : HTTP RESPONSE (req 0xc0008d4500)
2023/09/15 14:13:04 DEBUG : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json; charset=utf-8
Date: Fri, 15 Sep 2023 21:13:04 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Server: scaffolding on HTTPServer2
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

14d
{
  "access_token": "ya29...",
  "expires_in": 3599,
  "token_type": "Bearer"
}

You can use --dump auth

To show the Authorization header if that is helpful.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.