Merge pull request #20941 from ahrtr/20251117_tokens_3.6

ahrtr · web-flow · commit f185ce6c191c · 2025-11-17T19:10:00.000Z
[release-3.6] Print token fingerprint instead of the original tokens in log messages
diff --git a/server/auth/jwt.go b/server/auth/jwt.go
@@ -115,12 +115,12 @@ func (t *tokenJWT) assign(ctx context.Context, username string, revision uint64)
 		return "", err
 	}
 
-	t.lg.Debug(
-		"created/assigned a new JWT token",
-		zap.String("user-name", username),
-		zap.Uint64("revision", revision),
-		zap.String("token", token),
-	)
+	if ce := t.lg.Check(zap.DebugLevel, "created/assigned a new JWT token"); ce != nil {
+		tokenFingerprint := redactToken(token)
+		ce.Write(zap.String("user-name", username),
+			zap.Uint64("revision", revision),
+			zap.String("token-fingerprint", tokenFingerprint))
+	}
 	return token, err
 }
 
diff --git a/server/auth/simple_token.go b/server/auth/simple_token.go
@@ -131,10 +131,11 @@ func (t *tokenSimple) assignSimpleTokenToUser(username, token string) {
 
 	_, ok := t.simpleTokens[token]
 	if ok {
+		tokenFingerprint := redactToken(token)
 		t.lg.Panic(
 			"failed to assign already-used simple token to a user",
 			zap.String("user-name", username),
-			zap.String("token", token),
+			zap.String("token-fingerprint", tokenFingerprint),
 		)
 	}
 
diff --git a/server/auth/store.go b/server/auth/store.go
@@ -17,7 +17,9 @@ package auth
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"errors"
 	"sort"
 	"strings"
@@ -349,11 +351,10 @@ func (as *authStore) Authenticate(ctx context.Context, username, password string
 		return nil, err
 	}
 
-	as.lg.Debug(
-		"authenticated a user",
-		zap.String("user-name", username),
-		zap.String("token", token),
-	)
+	if ce := as.lg.Check(zap.DebugLevel, "authenticated a user"); ce != nil {
+		tokenFingerprint := redactToken(token)
+		ce.Write(zap.String("user-name", username), zap.String("token-fingerprint", tokenFingerprint))
+	}
 	return &pb.AuthenticateResponse{Token: token}, nil
 }
 
@@ -1074,7 +1075,8 @@ func (as *authStore) AuthInfoFromCtx(ctx context.Context) (*AuthInfo, error) {
 	token := ts[0]
 	authInfo, uok := as.authInfoFromToken(ctx, token)
 	if !uok {
-		as.lg.Warn("invalid auth token", zap.String("token", token))
+		tokenFingerprint := redactToken(token)
+		as.lg.Warn("invalid auth token", zap.String("token-fingerprint", tokenFingerprint))
 		return nil, ErrInvalidAuthToken
 	}
 
@@ -1228,3 +1230,8 @@ func (as *authStore) setupMetricsReporter() {
 	}
 	reportCurrentAuthRevMu.Unlock()
 }
+
+func redactToken(token string) string {
+	sum := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(sum[:])[:12]
+}

Original file line number	Diff line number	Diff line change
`@@ -131,10 +131,11 @@ func (t *tokenSimple) assignSimpleTokenToUser(username, token string) {`
`131`	`131`
`132`	`132`	`_, ok := t.simpleTokens[token]`
`133`	`133`	`if ok {`
	`134`	`+ tokenFingerprint := redactToken(token)`
`134`	`135`	`t.lg.Panic(`
`135`	`136`	`"failed to assign already-used simple token to a user",`
`136`	`137`	`zap.String("user-name", username),`
`137`		`- zap.String("token", token),`
	`138`	`+ zap.String("token-fingerprint", tokenFingerprint),`
`138`	`139`	`)`
`139`	`140`	`}`
`140`	`141`