fix(codex): log account on token refresh failure#3727
Conversation
|
This pull request targeted The base branch has been automatically changed to |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances token refresh logging by extracting and including an account label (such as an email or account ID) in warning logs when refresh attempts fail. A security concern was raised regarding the logging of raw email addresses, which constitutes Personally Identifiable Information (PII). It is recommended to mask or obfuscate these email addresses before logging to comply with privacy regulations.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| func codexRefreshAccountLabel(labels ...string) string { | ||
| for _, label := range labels { | ||
| if trimmed := strings.TrimSpace(label); trimmed != "" { | ||
| return trimmed | ||
| } | ||
| } | ||
| return "unknown" | ||
| } |
There was a problem hiding this comment.
Logging raw email addresses (PII) in application logs can lead to security compliance issues (e.g., GDPR/CCPA violations) when logs are sent to external aggregators.
Consider obfuscating or masking the email address before logging it to protect user privacy while still retaining enough context for troubleshooting.
func codexRefreshAccountLabel(labels ...string) string {
for _, label := range labels {
if trimmed := strings.TrimSpace(label); trimmed != "" {
if strings.Contains(trimmed, "@") {
return maskEmail(trimmed)
}
return trimmed
}
}
return "unknown"
}
func maskEmail(email string) string {
parts := strings.Split(email, "@")
if len(parts) != 2 {
return "***"
}
local, domain := parts[0], parts[1]
if len(local) <= 2 {
return "***@" + domain
}
return string(local[0]) + "***" + string(local[len(local)-1]) + "@" + domain
}
MarvekG
force-pushed
the
fix/codex-refresh-account-log
branch
2 times, most recently
from
071af4c to
5f1e38a
Compare
MarvekG
changed the title
MarvekG
force-pushed
the
fix/codex-refresh-account-log
branch
from
5f1e38a to
460cd40
Compare
MarvekG
changed the title
2 participants
中文
修复 Codex token 刷新失败日志缺少 auth 标识
在 Codex OAuth token 刷新重试日志中增加 auth 标识,使用与 selector 日志一致的 auth ID,便于定位 refresh_token_reused 等刷新失败对应的具体账号文件。
同时更新 fetch_codex_models 和相关测试中的 Codex RefreshTokensWithRetry 调用,保持函数签名一致。
English
fix(codex): include auth identifier in token refresh failure logs
Add the auth identifier to Codex OAuth token refresh retry warnings, using the same auth ID shown in selector logs. This makes it easier to identify which auth entry is affected by failures such as refresh_token_reused.
Update the Codex RefreshTokensWithRetry call sites in fetch_codex_models and tests to match the new function signature.