From 5b1034895795ed1e8398e639cf7bc9f4a62db5d3 Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 12 Sep 2022 21:42:03 +0200
Subject: [PATCH] downstream: don't echo back SASL mechanism

Some clients will queue up multiple AUTHENTICATE commands without
waiting for a reply to avoid some roundtrips. However that means
the traffic looks like so:

    AUTHENTICATE <mechanism>
    AUTHENTICATE <base64 blob containing credentials>

soju will fail the first command, and will behave as if no SASL
authentication was in progress when interpreting the second one.
This means we'll echo back the security-sensitive base64 blob to
the client in the error message, which is definitely not great.

Stop doing that.
---
 downstream.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/downstream.go b/downstream.go
index a091f93..c99552c 100644
--- a/downstream.go
+++ b/downstream.go
@@ -1002,7 +1002,7 @@ func (dc *downstreamConn) handleAuthenticateCommand(msg *irc.Message) (result *d
 			return nil, ircError{&irc.Message{
 				Prefix:  dc.srv.prefix(),
 				Command: irc.ERR_SASLFAIL,
-				Params:  []string{dc.nick, fmt.Sprintf("Unsupported SASL mechanism %q", mech)},
+				Params:  []string{dc.nick, "Unsupported SASL mechanism"},
 			}}
 		}