Skip to content

Commit 90e249c

Browse files
committed
fix(login): remove unconditional logging of OAuth2 access and refresh tokens
OAuth2 access token and refresh token were unconditionally printed to stderr via log.Printf on every SSO login, regardless of --verbose flag. Any CI/CD pipeline or log aggregation system capturing stderr would silently record long-lived credentials in plaintext. All other sensitive data in the codebase (request bodies, headers) is already gated behind config.Verbose / config.DumpRequestIfRequired. The 'Authentication successful' message printed immediately before is sufficient confirmation; the token values add no diagnostic value. Signed-off-by: Harish R S <harishrs21082006@gmail.com>
1 parent b892bbb commit 90e249c

1 file changed

Lines changed: 0 additions & 2 deletions

File tree

cmd/login.go

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -293,8 +293,6 @@ func oauth2login(
293293
ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
294294
defer cancel()
295295
_ = srv.Shutdown(ctx)
296-
log.Printf("Token: %s\n", tokenString)
297-
log.Printf("Refresh Token: %s\n", refreshToken)
298296
return tokenString, refreshToken
299297
}
300298

0 commit comments

Comments
 (0)