this is barely worth a phabricator task since it’s an owner-only consumer but the credentials of bash.toolforge.org are world-readable on toolforge and i assume they’re not supposed to be
lucaswerkmeister@tools-sgebastion-07:~$ cat ~tools.bash/quips/.env #ES_URL=http://tools-elastic-01.tools.eqiad.wmflabs/ ES_URL=http://elasticsearch.svc.tools.eqiad1.wikimedia.cloud/ ES_USER=tools.bash ES_PASSWORD="xxxxxxxxxxxxxxxxxxxxxxxx" CAN_EDIT=true CAN_VOTE=true LOG_CHANNEL=quips LOG_LEVEL=info SLIM_MODE=development USE_OAUTH=true ## bash.toolforge.org OAuth OAUTH_CONSUMER_TOKEN=e73eaac293eaa1ba7f11952cd874f365 OAUTH_SECRET_TOKEN=xxxxxxxxxxxxxxxxxxxxxxx OAUTH_ENDPOINT="https://www.mediawiki.org/w/index.php?title=Special:OAuth" OAUTH_REDIR="https://www.mediawiki.org/wiki/Special:OAuth/authenticate?" OAUTH_CALLBACK=https://bash.toolforge.org/oauth/callback ## tools.wmflabs.org/bash #OAUTH_CONSUMER_TOKEN=aea31746a1e5d5b3e7514952f70e7035 #OAUTH_SECRET_TOKEN=xxxxxxxxxxxxxxxxxxxxxxx #OAUTH_ENDPOINT="https://www.mediawiki.org/w/index.php?title=Special:OAuth" #OAUTH_REDIR="https://www.mediawiki.org/wiki/Special:OAuth/authenticate?" #OAUTH_CALLBACK=https://tools.wmflabs.org/bash/oauth/callback
can a toolforge admin or @bd808 just chmod go-rwx ~tools.bash/quips/.env and then we’ll get on with our lives and forget this ever happened