template-fastapi-react icon indicating copy to clipboard operation
template-fastapi-react copied to clipboard
verified publisher icon equinor

Potential fix for code scanning alert no. 2: Clear-text logging of sensitive information

Open einarwar opened this issue 2 months ago • 0 comments

Potential fix for https://github.com/equinor/template-fastapi-react/security/code-scanning/2

To fix this problem, we should avoid directly logging the value of config.OAUTH_WELL_KNOWN. Instead, we can log a general error message without including the potentially sensitive configuration value. This ensures attackers cannot retrieve configuration details from log files, and we maintain useful error logging for debugging.

Hence, in get_JWK_client on line 27, we should change:

logger.error(f"Failed to fetch OpenId Connect configuration for '{config.OAUTH_WELL_KNOWN}': {error}")

to something like:

logger.error(f"Failed to fetch OpenId Connect configuration: {error}")

No new imports or methods are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

einarwar avatar Oct 01 '25 10:10 einarwar