apache · mmodzelewski · Mar 17, 2026 · Mar 14, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -237,6 +237,7 @@ rust-embed = "8.11.0"
 rust-s3 = { version = "0.37.1", default-features = false, features = ["tokio-rustls-tls", "tags"] }
 rustls = { version = "0.23.37", features = ["ring"] }
 rustls-pemfile = "2.2.0"
+secrecy = { version = "0.10", features = ["serde"] }
 send_wrapper = "0.6.0"
 serde = { version = "1.0.228", features = ["derive", "rc"] }
 serde_json = "1.0.149"

diff --git a/core/cli/Cargo.toml b/core/cli/Cargo.toml
@@ -58,6 +58,7 @@ iggy = { workspace = true }
 iggy_common = { workspace = true }
 keyring = { workspace = true, optional = true }
 passterm = { workspace = true }
+secrecy = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 thiserror = { workspace = true }

diff --git a/core/cli/src/commands/binary_personal_access_tokens/create_personal_access_token.rs b/core/cli/src/commands/binary_personal_access_tokens/create_personal_access_token.rs
@@ -23,6 +23,7 @@ use iggy_common::Client;
 use iggy_common::PersonalAccessTokenExpiry;
 use iggy_common::create_personal_access_token::CreatePersonalAccessToken;
 use keyring::Entry;
+use secrecy::ExposeSecret;
 use tracing::{Level, event};
 
 pub struct CreatePersonalAccessTokenCmd {
@@ -84,7 +85,7 @@ impl CliCommand for CreatePersonalAccessTokenCmd {
         if self.store_token {
             let server_address = format!("iggy:{}", self.server_address);
             let entry = Entry::new(&server_address, &self.create_token.name)?;
-            entry.set_password(&token.token)?;
+            entry.set_password(token.token.expose_secret())?;
             event!(target: PRINT_TARGET, Level::DEBUG,"Stored token under service: {} and name: {}", server_address,
                     self.create_token.name);
             event!(target: PRINT_TARGET, Level::INFO,
@@ -96,7 +97,7 @@ impl CliCommand for CreatePersonalAccessTokenCmd {
                 },
             );
         } else if self.quiet_mode {
-            println!("{}", token.token);
+            println!("{}", token.token.expose_secret());
         } else {
             event!(target: PRINT_TARGET, Level::INFO,
                 "Personal access token with name: {} and {} created",
@@ -107,7 +108,7 @@ impl CliCommand for CreatePersonalAccessTokenCmd {
                 },
             );
             event!(target: PRINT_TARGET, Level::INFO,"Token: {}",
-                            token.token);
+                            token.token.expose_secret());
         }
 
         Ok(())

diff --git a/core/cli/src/commands/binary_system/login.rs b/core/cli/src/commands/binary_system/login.rs
@@ -23,6 +23,7 @@ use anyhow::Context;
 use async_trait::async_trait;
 use iggy_common::Client;
 use iggy_common::SEC_IN_MICRO;
+use secrecy::ExposeSecret;
 use tracing::{Level, event};
 
 const DEFAULT_LOGIN_SESSION_TIMEOUT: u64 = SEC_IN_MICRO * 15 * 60;
@@ -94,7 +95,7 @@ impl CliCommand for LoginCmd {
                 )
             })?;
 
-        self.server_session.store(&token.token)?;
+        self.server_session.store(token.token.expose_secret())?;
 
         event!(target: PRINT_TARGET, Level::INFO,
             "Successfully logged into Iggy server {}",

diff --git a/core/cli/src/commands/binary_users/create_user.rs b/core/cli/src/commands/binary_users/create_user.rs
@@ -23,6 +23,7 @@ use iggy_common::Client;
 use iggy_common::Permissions;
 use iggy_common::UserStatus;
 use iggy_common::create_user::CreateUser;
+use secrecy::{ExposeSecret, SecretString};
 use tracing::{Level, event};
 
 pub struct CreateUserCmd {
@@ -39,7 +40,7 @@ impl CreateUserCmd {
         Self {
             create_user: CreateUser {
                 username,
-                password,
+                password: SecretString::from(password),
                 status,
                 permissions,
             },
@@ -50,31 +51,28 @@ impl CreateUserCmd {
 #[async_trait]
 impl CliCommand for CreateUserCmd {
     fn explain(&self) -> String {
-        format!(
-            "create user with username: {} and password: {}",
-            self.create_user.username, self.create_user.password
-        )
+        format!("create user with username: {}", self.create_user.username)
     }
 
     async fn execute_cmd(&mut self, client: &dyn Client) -> anyhow::Result<(), anyhow::Error> {
         client
             .create_user(
                 &self.create_user.username,
-                &self.create_user.password,
+                self.create_user.password.expose_secret(),
                 self.create_user.status,
                 self.create_user.permissions.clone(),
             )
             .await
             .with_context(|| {
                 format!(
-                    "Problem creating user (username: {} and password: {})",
-                    self.create_user.username, self.create_user.password
+                    "Problem creating user (username: {})",
+                    self.create_user.username
                 )
             })?;
 
         event!(target: PRINT_TARGET, Level::INFO,
-            "User with username: {} and password: {} created",
-            self.create_user.username, self.create_user.password
+            "User with username: {} created",
+            self.create_user.username
         );
 
         Ok(())

diff --git a/core/cli/src/credentials.rs b/core/cli/src/credentials.rs
@@ -23,6 +23,7 @@ use iggy::clients::client::IggyClient;
 use iggy::prelude::{Args, IggyError, PersonalAccessTokenClient, UserClient};
 use iggy_cli::commands::binary_system::session::ServerSession;
 use passterm::{Stream, isatty, prompt_password_stdin, prompt_password_tty};
+use secrecy::{ExposeSecret, SecretString};
 use std::env::var;
 
 #[cfg(feature = "login-session")]
@@ -40,13 +41,13 @@ static ENV_IGGY_PASSWORD: &str = "IGGY_PASSWORD";
 
 struct IggyUserClient {
     username: String,
-    password: String,
+    password: SecretString,
 }
 
 enum Credentials {
     UserNameAndPassword(IggyUserClient),
-    PersonalAccessToken(String),
-    SessionWithToken(String, String),
+    PersonalAccessToken(SecretString),
+    SessionWithToken(SecretString, String),
 }
 
 pub(crate) struct IggyCredentials<'a> {
@@ -73,7 +74,10 @@ impl<'a> IggyCredentials<'a> {
             let server_session = ServerSession::new(server_address.clone());
             if let Some(token) = server_session.get_token() {
                 return Ok(Self {
-                    credentials: Some(Credentials::SessionWithToken(token, server_address)),
+                    credentials: Some(Credentials::SessionWithToken(
+                        SecretString::from(token),
+                        server_address,
+                    )),
                     iggy_client: None,
                     login_required,
                 });
@@ -91,7 +95,9 @@ impl<'a> IggyCredentials<'a> {
                     let token = entry.get_password()?;
 
                     Ok(Self {
-                        credentials: Some(Credentials::PersonalAccessToken(token)),
+                        credentials: Some(Credentials::PersonalAccessToken(SecretString::from(
+                            token,
+                        ))),
                         iggy_client: None,
                         login_required,
                     })
@@ -102,19 +108,22 @@ impl<'a> IggyCredentials<'a> {
 
         if let Some(token) = &cli_options.token {
             Ok(Self {
-                credentials: Some(Credentials::PersonalAccessToken(token.clone())),
+                credentials: Some(Credentials::PersonalAccessToken(SecretString::from(
+                    token.clone(),
+                ))),
                 iggy_client: None,
                 login_required,
             })
         } else if let Some(username) = &cli_options.username {
             let password = match &cli_options.password {
-                Some(password) => password.clone(),
+                Some(password) => SecretString::from(password.clone()),
                 None => {
-                    if isatty(Stream::Stdin) {
+                    let pwd = if isatty(Stream::Stdin) {
                         prompt_password_tty(Some("Password: "))?
                     } else {
                         prompt_password_stdin(None, Stream::Stdout)?
-                    }
+                    };
+                    SecretString::from(pwd)
                 }
             };
 
@@ -130,7 +139,7 @@ impl<'a> IggyCredentials<'a> {
             Ok(Self {
                 credentials: Some(Credentials::UserNameAndPassword(IggyUserClient {
                     username: var(ENV_IGGY_USERNAME)?,
-                    password: var(ENV_IGGY_PASSWORD)?,
+                    password: SecretString::from(var(ENV_IGGY_PASSWORD)?),
                 })),
                 iggy_client: None,
                 login_required,
@@ -154,7 +163,7 @@ impl<'a> IggyCredentials<'a> {
                     let _ = client
                         .login_user(
                             &username_and_password.username,
-                            &username_and_password.password,
+                            username_and_password.password.expose_secret(),
                         )
                         .await
                         .with_context(|| {
@@ -166,14 +175,14 @@ impl<'a> IggyCredentials<'a> {
                 }
                 Credentials::PersonalAccessToken(token_value) => {
                     let _ = client
-                        .login_with_personal_access_token(token_value)
+                        .login_with_personal_access_token(token_value.expose_secret())
                         .await
-                        .with_context(|| {
-                            format!("Problem with server login with token: {token_value}")
-                        })?;
+                        .with_context(|| "Problem with server login with token".to_string())?;
                 }
                 Credentials::SessionWithToken(token_value, server_address) => {
-                    let login_result = client.login_with_personal_access_token(token_value).await;
+                    let login_result = client
+                        .login_with_personal_access_token(token_value.expose_secret())
+                        .await;
                     if let Err(err) = login_result {
                         if matches!(
                             err,
@@ -187,7 +196,7 @@ impl<'a> IggyCredentials<'a> {
                                 "Login session expired for Iggy server: {server_address}, please login again or use other authentication method"
                             );
                         } else {
-                            bail!("Problem with server login with token: {token_value}");
+                            bail!("Problem with server login with token");
                         }
                     }
                 }

diff --git a/core/common/Cargo.toml b/core/common/Cargo.toml
@@ -55,6 +55,7 @@ papaya = { workspace = true }
 rcgen = { workspace = true }
 ring = { workspace = true }
 rustls = { workspace = true }
+secrecy = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_with = { workspace = true, features = ["base64"] }