From ff4b3177a50956d24f0e64049c96ac2ae4b1bf29 Mon Sep 17 00:00:00 2001
From: Abhishek Sharma <abhishek.sharma281089@gmail.com>
Date: Thu, 5 Feb 2026 20:07:38 +0530
Subject: [PATCH] fix(secrets-exposure): Sensitive Information Logged

Bug ID: WR-001
File: app/api/auth.ts:36
Severity: medium

Access codes and hashed access codes are logged to the console, which could expose authentication secrets in logs. The code logs allowed hashed codes, the raw access code, the hashed access code, and user IP addresses.

Fixed by whiterose
---
 app/api/auth.ts | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/app/api/auth.ts b/app/api/auth.ts
index 8c78c70c865..977b0836d64 100644
--- a/app/api/auth.ts
+++ b/app/api/auth.ts
@@ -33,11 +33,7 @@ export function auth(req: NextRequest, modelProvider: ModelProvider) {
   const hashedCode = md5.hash(accessCode ?? "").trim();
 
   const serverConfig = getServerSideConfig();
-  console.log("[Auth] allowed hashed codes: ", [...serverConfig.codes]);
-  console.log("[Auth] got access code:", accessCode);
-  console.log("[Auth] hashed access code:", hashedCode);
-  console.log("[User IP] ", getIP(req));
-  console.log("[Time] ", new Date().toLocaleString());
+  console.log("[Auth] request received at", new Date().toLocaleString());
 
   if (serverConfig.needCode && !serverConfig.codes.has(hashedCode) && !apiKey) {
     return {