I have an application with the following tech stack
- web frontend app in React
- backend with Python/Django
- GraphQL API using graphene + django-graphql-auth for authentication
- MySQL DB
- hosted on Heroku
In addition to this, the backend is also used by another 3rd party app that authenticates to it and sends data to track activity in a VR application.
I realized that in heroku logs, all the requests coming from the VR APP (made in Unity), are displaying the password field in plain text. This does not happen if I try to login through the web app.
Decoding the relevant part for more readability:
path="/graphql/?operationName=Login&query=mutation Login {
tokenAuth(username: "ANNBAC", password: "4379") {
success
errors
user {
pk
}
}
}"
Given this scenario I believe the way the requests are being sent from Unity are the culprit. Problem is that I'm not Unity developer and would have no idea how to fix this there. I don't even have access to the code as it belongs to another team. And I think the unity devs there are also not so familiar with working with web requests in general so I don't know how to properly guide them on the web part. I could though ask for them to post whatever relevant code in here if people find necessary to help tracking the problem.
