diff options
| author | Craig Jennings <c@cjennings.net> | 2026-05-03 19:40:17 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-05-03 19:40:17 -0500 |
| commit | e646995e940281e0ef575abc71532ac17f1b4fa9 (patch) | |
| tree | 57d9a63a073428a503eccb3e04823bca64cf741e /modules | |
| parent | 6a2539951416fd1ee2ad744090faf255031b71e7 (diff) | |
| download | dotemacs-e646995e940281e0ef575abc71532ac17f1b4fa9.tar.gz dotemacs-e646995e940281e0ef575abc71532ac17f1b4fa9.zip | |
fix: default auth-source debug logging to disabled
`auth-config.el` was setting `auth-source-debug` to t at startup. That meant every credential lookup printed verbose context to *Messages*. The flag was useful while debugging GPG flow but not appropriate for steady state, since the same config handles Slack, AI, REST, mail, and transcription credentials.
I added a `cj/auth-source-debug-enabled` defcustom (default nil) and wired the use-package block to read its value. For temporary troubleshooting I added two commands: `cj/set-auth-source-debug` (prompted on / off via `y-or-n-p`) and `cj/toggle-auth-source-debug` (M-x convenience).
I also scanned the nearby auth callers. The visible failure messages name hosts and logins but don't print secret values directly. So this change closes the practical exposure path without losing useful diagnostics.
I added `tests/test-auth-config-debug.el` covering the disabled-by-default invariant and the setter wiring through both public variables.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/auth-config.el | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/modules/auth-config.el b/modules/auth-config.el index c760d71a..f2df1746 100644 --- a/modules/auth-config.el +++ b/modules/auth-config.el @@ -8,7 +8,7 @@ ;; • auth-source ;; – Forces use of your default authinfo file ;; – Disable external GPG agent in favor of Emacs's own prompt -;; – Enable auth-source debug messages +;; – Keeps auth-source debug logging disabled by default ;; • Easy PG Assistant (epa) ;; – Force using the 'gpg2' executable for encryption/decryption operations @@ -26,6 +26,29 @@ (require 'system-lib) (eval-when-compile (require 'user-constants)) ;; defines authinfo-file location +(defcustom cj/auth-source-debug-enabled nil + "Non-nil means enable verbose auth-source debug logging. + +Keep this nil during normal startup. Auth-source debug output is useful +for troubleshooting credential lookup problems, but it can expose too +much context about sensitive services in the Messages buffer." + :type 'boolean + :group 'auth-source) + +(defun cj/set-auth-source-debug (enabled) + "Set auth-source debug logging according to ENABLED." + (interactive + (list (y-or-n-p "Enable auth-source debug logging? "))) + (setq cj/auth-source-debug-enabled enabled) + (setq auth-source-debug enabled) + (message "auth-source debug logging %s" + (if enabled "enabled" "disabled"))) + +(defun cj/toggle-auth-source-debug () + "Toggle verbose auth-source debug logging for troubleshooting." + (interactive) + (cj/set-auth-source-debug (not auth-source-debug))) + ;; -------------------------------- Auth Sources ------------------------------- ;; auth sources settings @@ -36,7 +59,7 @@ ;; USE gpg-agent for passphrase caching (400-day cache from gpg-agent.conf) ;; (setenv "GPG_AGENT_INFO" nil) ;; DISABLED: was preventing gpg-agent cache (setq auth-sources `(,authinfo-file)) ;; use authinfo.gpg (see user-constants.el) - (setq auth-source-debug t) ;; echo debug info to Messages + (setq auth-source-debug cj/auth-source-debug-enabled) (setq auth-source-cache-expiry 86400)) ;; cache decrypted credentials for 24 hours ;; ----------------------------- Easy PG Assistant ----------------------------- |