Gabriel Radureau
807ff98464
Critical security fix. The 6 Trace-level log statements in auth_service.go were printing JWT tokens and HMAC signing secrets in cleartext. Any environment with logging.level=trace (dev/staging) routed these into the log pipeline, where an attacker with log read access could forge JWTs. Replaced cleartext values with sha256-truncated fingerprints (16 hex chars) following the existing JWTSecretInfo.SecretSHA256 pattern. Lines fixed: - Line 109: signing_secret leak in GenerateJWT - Line 118: token leak in GenerateJWT - Line 124: token leak in ValidateJWT - Line 131: secret leak in ValidateJWT (trying secret) - Line 150: secret leak in ValidateJWT (validation successful) - Line 158: secret leak in ValidateJWT (validation failed) Generated by Mistral Vibe. Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
12 KiB
12 KiB