I have noticed that the server logs a sent token, if the token is not valid:

e.g.: rpaste -a invalid_token -V

[2023-08-13T19:24:30Z WARN  rustypaste::auth] authorization failure for a.b.c.d (header: invalid_token)

There are 2 issues with this:

• the text is wrong. header should print the entire header or the text should be renamed to token
• the token should not be printed at all

I don't think a token should be logged, even if it is an invalid one. At least not in a release build. Such a situation can arise when you use rpaste with the token in the config file, but use different rustypaste servers. If you forget only once to add the -a flag, a production token for another instance will be logged.

I suggest to remove everything after the IP address.

However, I do think that it could be important for testing/debugging purposes so let's just add the token for failures in debug builds.

What do you think?