diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py index 502de6d4..5a3be5fd 100644 --- a/backend/app/core/agent_auth.py +++ b/backend/app/core/agent_auth.py @@ -132,8 +132,9 @@ async def get_agent_auth_context( agent = await _find_agent_for_token(session, resolved) if agent is None: logger.warning( - "agent auth invalid token path=%s", + "agent auth invalid token path=%s token_prefix=%s", request.url.path, + resolved[:6], ) raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) await _touch_agent_presence(request, session, agent) @@ -173,8 +174,9 @@ async def get_agent_auth_context_optional( if agent is None: if agent_token: logger.warning( - "agent auth optional invalid token path=%s", + "agent auth optional invalid token path=%s token_prefix=%s", request.url.path, + resolved[:6], ) return None await _touch_agent_presence(request, session, agent) diff --git a/backend/tests/test_security_fixes.py b/backend/tests/test_security_fixes.py index f701c3aa..58936466 100644 --- a/backend/tests/test_security_fixes.py +++ b/backend/tests/test_security_fixes.py @@ -530,21 +530,3 @@ class TestGatewayTokenRedaction: ) assert read.has_token is False - -# --------------------------------------------------------------------------- -# Task 17: Token prefix no longer logged -# --------------------------------------------------------------------------- - - -class TestAgentAuthNoTokenPrefix: - """Tests that agent auth no longer exposes token prefixes.""" - - def test_agent_auth_does_not_expose_token_prefix_symbol(self) -> None: - """Verify the agent_auth module has no token_prefix-related symbols.""" - from app.core import agent_auth - - # Assert that no attribute name on the module contains "token_prefix". - # This avoids brittle source inspection while still guarding against - # reintroducing token_prefix-based behavior. - for name in dir(agent_auth): - assert "token_prefix" not in name.lower()