Registry token shown in debug logs

[pietroalbini]

Problem

When publishing a crate with debug logging enabled, the full, plaintext registry token is included in the output. This is bad when users are trying to figure out what's wrong with cargo publish and end up sending their logs to another person to help debugging, or worse they post the log in a public issue.

Steps

CARGO_LOG=debug cargo publish 2>&1 | grep "found token \"cio"

Possible Solution(s)

The log message is defined here:

cargo/src/cargo/ops/registry.rs

Line 485 in 216f915

log::debug!("found token {:?}", token);

The log message should either be removed or it should be changed to only display the last N chars of the API token (to still allow someone debugging cargo to know which token it picked up).

Notes

Output of cargo version:

cargo 1.54.0 (5ae8d74b3 2021-06-22)
release: 1.54.0
commit-hash: 5ae8d74b3b2d58f32c8d357e5cfa04d430a70e0b
commit-date: 2021-06-22

[0xPoe]

@rustbot claim