mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#411): sanitize Bearer tokens in verifySession logs + warn on non-Error thrown values

Browse Source 
- Redact Bearer tokens from error stacks/messages before logging to
  prevent session token leakage into server logs
- Add logger.warn for non-Error thrown values in verifySession catch
  block for observability
- Add tests for token redaction and non-Error warn logging

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-16 15:48:10 -06:00
parent 5328390f4c
commit 05ee6303c2
2 changed files with 101 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
apps/api/src/auth/auth.service.ts
View File

@@ -139,14 +139,24 @@ export class AuthService {
if (!isExpectedAuthError) {
// Infrastructure or unexpected — propagate as 500
const safeMessage = (error.stack ?? error.message).replace(
/Bearer\s+\S+/gi,
"Bearer [REDACTED]"
);
this.logger.error(
"Session verification failed due to unexpected error",
error.stack ?? error.message
safeMessage
);
throw error;
}
}
// Non-Error thrown values or expected auth errors
// Non-Error thrown values — log for observability, treat as auth failure
if (!(error instanceof Error)) {
this.logger.warn(
"Session verification received non-Error thrown value",
typeof error === "object" ? JSON.stringify(error) : String(error),
);
}
return null;
}
}