Critical security fix. The 6 Trace-level log statements in auth_service.go
were printing JWT tokens and HMAC signing secrets in cleartext. Any environment
with logging.level=trace (dev/staging) routed these into the log pipeline,
where an attacker with log read access could forge JWTs. Replaced cleartext
values with sha256-truncated fingerprints (16 hex chars) following the existing
JWTSecretInfo.SecretSHA256 pattern.
Lines fixed:
- Line 109: signing_secret leak in GenerateJWT
- Line 118: token leak in GenerateJWT
- Line 124: token leak in ValidateJWT
- Line 131: secret leak in ValidateJWT (trying secret)
- Line 150: secret leak in ValidateJWT (validation successful)
- Line 158: secret leak in ValidateJWT (validation failed)
Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
