You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(broker): sanitize OAuth callback error and token-endpoint failures (MCP-1045)
The T12 security review (Codex, request_changes) found two paths that leak
authorization-server-controlled strings into logs and responses, violating the
FR-029/SC-005 'no secret in logs/responses/audit' invariant:
1. The credential connect callback coerced the raw ?error= value only for the
audit sink, but still logged it verbatim and reflected it into the browser
redirect's credential_error param. Now the sanitized label is used on all
three sinks (audit, log, redirect).
2. OAuthConnector.postToken returned the raw token-endpoint response body in its
error, which is logged on the connect and refresh paths. A hostile/misconfigured
AS could embed access/refresh tokens or echoed input there. postToken now
surfaces only the HTTP status plus an allowlisted RFC 6749 §5.2 error code,
mirroring the RFC 8693 exchanger's sanitizedError.
Adds regression tests covering the redirect/log leak and the token-body leak.
Related #694, Related MCP-1045
0 commit comments