Spring Cloud Config Credentials returned in response

TL;DR The configured GitLab repository uri containing the deploy token (credentials) is returned in any response.

Environment

Component       Version
Spring Boot     2.4.0
Spring Cloud    2020.0.0-M5
GitLab CE       13.5.3
Java VM         openjdk 11

Long Version GitLab allows to read (pull) repositories with deploy or access tokens. I could not find any documents on explaining how to configure this in a spring cloud config server. According to the official documentation on spring.io, the server uses JGit to communicate with remote git repositories.

So I have looked up JGit documentation and found an explanation on how to use deploy tokens with GitLab. You specify a GitLab repository uri with basic http authentication and additionally specify a username and password separately. Link: https://www.codeaffine.com/2014/12/09/jgit-authentication/ (Authentication @ GitLab)

I adopted this for the spring cloud config server and it works, but the credentials configured in the GitLab repository uri are exposed as well when content is served. When I remove either the credentials in the uri or the username/password properties the server fails to connect to the repository.

application.properties:

spring.cloud.config.server.git.uri=https://<deploy-token-name>:<token>@gitlab.home.local/spring-cloud-config
spring.cloud.config.server.git.username=<deploy-token-name>
spring.cloud.config.server.git.password=<token>
spring.cloud.config.server.git.clone-on-start=true
server.port=8888

Reading properties for a service returns a response like this: GET https://cloud-config.home.local:8888/some-service/development Response:

{
  "name": "some-service",
  "profiles": [
    "development"
  ],
  "label": null,
  "version": "b87f905c28cc911b056c5ecf6aef6724bfbbbe58",
  "state": null,
  "propertySources": [
    {
      "name": "https://<deploy-token-name>:<token>@gitlab.home.local/spring-cloud-config.git/some-service/application-development.properties",
      "source": {
        "my.property": "Hello from development",
      }
    },
    {
      "name": "https://<deploy-token-name>:<token>@gitlab.home.local/spring-cloud-config.git/application.properties",
      "source": {
        "my.property": "Hello from default"
      }
    }
  ]
}

Best regards, David

Comment From: spencergibb

This is a duplicate