Summary
Both models/signin.ts and models/signup.ts log the full token object at debug level, including the token UUID and verification code:
models/signin.ts ~line 37:
logger.debug("Created sign-in token (expires in {expires}): {token}", {
expires: EXPIRATION,
token: tokenData, // includes accountId, token UUID, and code
});models/signup.ts ~line 59:
logger.debug("Created sign-up token (expires in {expires}): {token}", {
expires: EXPIRATION,
token: tokenData, // includes email, token UUID, and base64 code
});Risk
If debug logging is enabled in any environment (staging, local dev with log aggregation, or accidentally in production), valid sign-in and sign-up tokens land in plaintext in log storage. Anyone with log read access can replay a token to authenticate as any user or hijack a signup flow.
Fix
Log only non-sensitive metadata — omit the token UUID and code fields:
logger.debug("Created sign-in token for {accountId} (expires in {expires})", {
expires: EXPIRATION,
accountId: tokenData.accountId,
});
Found this while running CodeTitan on the repo — happy to share the full report. Not a blocker if debug is always off in prod, but worth tightening.
— Noa'Lia
Summary
Both
models/signin.tsandmodels/signup.tslog the full token object at debug level, including the token UUID and verification code:models/signin.ts~line 37:models/signup.ts~line 59:Risk
If debug logging is enabled in any environment (staging, local dev with log aggregation, or accidentally in production), valid sign-in and sign-up tokens land in plaintext in log storage. Anyone with log read access can replay a token to authenticate as any user or hijack a signup flow.
Fix
Log only non-sensitive metadata — omit the token UUID and code fields:
Found this while running CodeTitan on the repo — happy to share the full report. Not a blocker if debug is always off in prod, but worth tightening.
— Noa'Lia