Skip to content

fix(auth): stop logging bearer tokens in DataHubOAuthAuthenticator#18140

Merged
max-datahub merged 1 commit into
datahub-project:masterfrom
max-datahub:fix/oauth-authenticator-token-logging
Jul 2, 2026
Merged

fix(auth): stop logging bearer tokens in DataHubOAuthAuthenticator#18140
max-datahub merged 1 commit into
datahub-project:masterfrom
max-datahub:fix/oauth-authenticator-token-logging

Conversation

@max-datahub

Copy link
Copy Markdown
Collaborator

Summary

DataHubOAuthAuthenticator logged the entire request header map at INFO on
every authentication attempt:

log.info("Request headers are: {}", context.getRequestHeaders());

The header map includes the Authorization header — i.e. the full bearer JWT.
This wrote live credentials into normal application logs, which are commonly
shipped to centralized logging, retained, and indexed. The line was leftover
debug logging.

This PR removes the line entirely. No replacement is added: the token is never
needed in logs. If header diagnostics are ever wanted in the future, they should
be added at DEBUG with the Authorization value redacted.

Impact: any deployment with external OAuth authentication enabled was
exposing bearer tokens in its logs.

Checklist

  • The PR conforms to DataHub's Contributing Guideline (particularly PR Title Format)
  • Links to related issues (if applicable)
  • Tests for the changes have been added/updated (if applicable) — N/A: pure removal of a debug log statement; no behavior change beyond suppressing the leak
  • Docs related to the changes have been added/updated (if applicable) — N/A
  • For any breaking change/potential downtime/deprecation/big changes an entry has been made in Updating DataHub — N/A: no breaking change

🤖 Generated with Claude Code

The OAuth authenticator logged the full request header map at INFO on
every authentication attempt, which includes the Authorization header
(the bearer JWT). This wrote live credentials into normal application
logs. This was leftover debug logging.

Remove the line entirely. If header diagnostics are ever needed, they
should be added at DEBUG with the Authorization value redacted.

Impact: any deployment with external OAuth authentication enabled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Max Margalith <max.margalith@datahub.com>
@github-actions github-actions Bot added devops PR or Issue related to DataHub backend & deployment community-contribution PR or Issue raised by member(s) of DataHub Community labels Jul 2, 2026
@max-datahub max-datahub marked this pull request as ready for review July 2, 2026 15:07
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Bundle Report

Bundle size has no change ✅

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@max-datahub max-datahub enabled auto-merge (squash) July 2, 2026 16:31
@max-datahub max-datahub merged commit 08d6535 into datahub-project:master Jul 2, 2026
91 of 93 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

community-contribution PR or Issue raised by member(s) of DataHub Community devops PR or Issue related to DataHub backend & deployment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants