chore: Add additional warnings for sensitive tokens (#1905)

* chore: Add additional warnings for sensitive tokens

* chore: Fix lint issues

* chore: Document the test rationale

* chore: Move these file changes to a new PR

Author: lqiu96

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/AccessToken.java

@@ -114,6 +114,13 @@ public int hashCode() {
     return Objects.hash(tokenValue, expirationTimeMillis, scopes);
   }
 
+  /**
+   * Returns a string representation of this access token, including the raw token value.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the raw, unmasked access token
+   * value. Do not log this output in production environments as it may expose sensitive
+   * credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ExternalAccountAuthorizedUserCredentials.java

@@ -284,6 +284,13 @@ public int hashCode() {
         quotaProjectId);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes sensitive fields such as the
+   * client secret, refresh token, and request metadata containing the raw Bearer access token. Do
+   * not log this output in production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/ImpersonatedCredentials.java

@@ -710,6 +710,13 @@ public int hashCode() {
         iamEndpointOverride);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the source credentials which may
+   * recursively contain sensitive fields such as access tokens. Do not log this output in
+   * production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/LoggingUtils.java

@@ -79,7 +79,8 @@ static void logResponsePayload(
   /**
    * Generic log method to use when not logging standard request, response and payload.
    *
-   * <p>Note: This does not mask the data. Log carefully if the data contains sensitive tokens.
+   * <p>Any key in the provided {@code contextMap} that matches the sensitive keys set (e.g.
+   * access_token, refresh_token) will have its value masked via SHA-256 hash before being logged.
    */
   static void log(
       LoggerProvider loggerProvider, Level level, Map<String, Object> contextMap, String message) {

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java

@@ -446,6 +446,14 @@ protected Map<String, List<String>> getRequestMetadataInternal() {
     return null;
   }
 
+  /**
+   * Returns a string representation of this credential, including request metadata and access
+   * token.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes the request metadata which
+   * contains the raw Bearer access token, and the raw access token value. Do not log this output in
+   * production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     OAuthValue localValue = value;

google-auth-library-java/oauth2_http/java/com/google/auth/oauth2/UserCredentials.java

@@ -361,6 +361,13 @@ public int hashCode() {
         quotaProjectId);
   }
 
+  /**
+   * Returns a string representation of this credential.
+   *
+   * <p><b>Security Warning:</b> The output of this method includes sensitive fields such as the
+   * refresh token and request metadata containing the raw Bearer access token. Do not log this
+   * output in production environments as it may expose sensitive credentials.
+   */
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)