arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🔒 fix(security): redact JWT tokens and HMAC secrets in trace logs (auth_service.go) #88

Merged
arcodange merged 1 commits from vibe/batch21-fix-jwt-secret-logs into main 2026-05-06 06:43:31 +02:00
Conversation 0 Commits 1 Files Changed 1 +16 -6
arcodange commented 2026-05-06 06:43:23 +02:00
Owner
Copy Link

Critical security fix. The 3 Trace-level log statements at auth_service.go:117/123/130 were printing JWT tokens and HMAC signing secrets in cleartext. Any environment with logging.level=trace (dev/staging) routed these into the log pipeline, where an attacker with log read access could forge JWTs. Replaced cleartext values with sha256-truncated fingerprints (16 hex chars) following the existing JWTSecretInfo.SecretSHA256 pattern. Found via Mistral review of pkg/server/middleware.go (Mistral noticed the trace logs while exploring related auth code). Mistral wrote the fix, trainer-takeover for the PR open + merge step (Q-059 max-turns hit before that step).

Critical security fix. The 3 Trace-level log statements at auth_service.go:117/123/130 were printing JWT tokens and HMAC signing secrets in cleartext. Any environment with logging.level=trace (dev/staging) routed these into the log pipeline, where an attacker with log read access could forge JWTs. Replaced cleartext values with sha256-truncated fingerprints (16 hex chars) following the existing JWTSecretInfo.SecretSHA256 pattern. Found via Mistral review of pkg/server/middleware.go (Mistral noticed the trace logs while exploring related auth code). Mistral wrote the fix, trainer-takeover for the PR open + merge step (Q-059 max-turns hit before that step).
arcodange added 1 commit 2026-05-06 06:43:24 +02:00
🔒 fix(security): redact JWT tokens and HMAC secrets in trace logs (auth_service.go) 807ff98464 
Critical security fix. The 6 Trace-level log statements in auth_service.go
were printing JWT tokens and HMAC signing secrets in cleartext. Any environment
with logging.level=trace (dev/staging) routed these into the log pipeline,
where an attacker with log read access could forge JWTs. Replaced cleartext
values with sha256-truncated fingerprints (16 hex chars) following the existing
JWTSecretInfo.SecretSHA256 pattern.

Lines fixed:
- Line 109: signing_secret leak in GenerateJWT
- Line 118: token leak in GenerateJWT
- Line 124: token leak in ValidateJWT
- Line 131: secret leak in ValidateJWT (trying secret)
- Line 150: secret leak in ValidateJWT (validation successful)
- Line 158: secret leak in ValidateJWT (validation failed)

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
arcodange merged commit 02bafbb0e2 into main 2026-05-06 06:43:31 +02:00
arcodange deleted branch vibe/batch21-fix-jwt-secret-logs 2026-05-06 06:43:32 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
arcodange
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: arcodange/dance-lessons-coach#88
Delete Branch "vibe/batch21-fix-jwt-secret-logs"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?