Skip to content

Comments

fix(security): Remove sensitive auth data from console logs#6700

Open
shakecodeslikecray wants to merge 1 commit intoChatGPTNextWeb:mainfrom
shakecodeslikecray:fix/remove-auth-secrets-logging
Open

fix(security): Remove sensitive auth data from console logs#6700
shakecodeslikecray wants to merge 1 commit intoChatGPTNextWeb:mainfrom
shakecodeslikecray:fix/remove-auth-secrets-logging

Conversation

@shakecodeslikecray
Copy link

@shakecodeslikecray shakecodeslikecray commented Feb 5, 2026

Summary

  • Removed logging of sensitive authentication data that could be exposed in server logs

Problem

In app/api/auth.ts:33-37, the following sensitive information was being logged to the console:

  • Allowed hashed access codes (full list)
  • Raw access codes from requests
  • Hashed access codes
  • User IP addresses

This is a security risk as these values could be exposed in:

  • Server logs
  • CI/CD outputs
  • Log aggregation systems
  • Error monitoring tools

Fix

Removed all sensitive data logging, keeping only a simple timestamp for debugging:

console.log("[Auth] request received at", new Date().toLocaleString());

Test plan

  • Verify auth still works correctly
  • Confirm sensitive data no longer appears in server logs

🤖 Generated with Claude Code
Bug discovered by whiterose

@shakecodeslikecray
fix(secrets-exposure): Sensitive Information Logged
ff4b317 
Bug ID: WR-001
File: app/api/auth.ts:36
Severity: medium

Access codes and hashed access codes are logged to the console, which could expose authentication secrets in logs. The code logs allowed hashed codes, the raw access code, the hashed access code, and user IP addresses.

Fixed by whiterose
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shakecodeslikecray