Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Jle platsec 3706 redact token log #265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 22, 2025
Merged

Jle platsec 3706 redact token log #265

merged 6 commits into from
May 22, 2025
+62 −1

Conversation

@jonathanhle
Copy link
Contributor

@jonathanhle jonathanhle commented May 21, 2025
edited
Loading

Propose log redactions for tokens/strings we'd be more comfortable if they were redacted.

discord-access  | 192.168.127.1 - - [21/May/2025:07:49:04 +0000] "GET /oidc/authorize?[REDACTED] HTTP/1.1" 302 289 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
discord-access  | Could not refresh token {REDACTED_TOKEN_DATA}}: token_invalid:

@somethingnew2-0
Copy link
Collaborator

Very nice! Change this PR out of draft when you're ready and I can take a final review

@jonathanhle
Copy link
Contributor Author

Very nice! Change this PR out of draft when you're ready and I can take a final review

Will update the mypy stuff and then go out of draft. Need a bit.

@jonathanhle jonathanhle marked this pull request as ready for review May 21, 2025 16:37
Copilot AI review requested due to automatic review settings May 21, 2025 16:37
Copilot AI reviewed May 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces log redaction improvements to mask sensitive token and authorization code information in application and access logs.

  • Adds a TokenSanitizingFilter to sanitize token data in application logs.
  • Implements a RedactingGunicornLogger to strip query strings from access logs for the /oidc/authorize endpoint.
  • Updates app initialization to apply the new log filters to various loggers.

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File Description
api/log_filters.py Adds token redaction filtering logic and a custom Gunicorn logger for access logs.
api/app.py Updates application logging configuration to include the new token sanitizing filter.
Files not reviewed (1)
  • Dockerfile: Language not supported

@jonathanhle
Copy link
Contributor Author

@somethingnew2-0 fixed the mypy errors. Tested on my local and the logging redactions of the tokens are taking place.

@somethingnew2-0 somethingnew2-0 merged commit 52a778a into discord:main May 22, 2025
3 checks passed
@mmenendez-gemini mmenendez-gemini deleted the jle-PLATSEC-3706-redact-token-log branch October 23, 2025 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@eguerrant eguerrant eguerrant approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jonathanhle @somethingnew2-0 @eguerrant