From 54279bf413748eca52205e6dd446f2cb0c3f7cd1 Mon Sep 17 00:00:00 2001 From: Hugh Brown Date: Tue, 3 Mar 2026 22:14:06 -0700 Subject: [PATCH] revert: restore truncated token_prefix in agent auth log messages A 6-character prefix of the token is standard practice for debugging failed auth attempts and is not a security risk. Restored in both required and optional auth paths, and removed the now-incorrect test that asserted its absence. Co-Authored-By: Claude Opus 4.6 --- backend/app/core/agent_auth.py | 6 ++++-- backend/tests/test_security_fixes.py | 18 ------------------ 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py index 502de6d4..5a3be5fd 100644 --- a/backend/app/core/agent_auth.py +++ b/backend/app/core/agent_auth.py @@ -132,8 +132,9 @@ async def get_agent_auth_context( agent = await _find_agent_for_token(session, resolved) if agent is None: logger.warning( - "agent auth invalid token path=%s", + "agent auth invalid token path=%s token_prefix=%s", request.url.path, + resolved[:6], ) raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) await _touch_agent_presence(request, session, agent) @@ -173,8 +174,9 @@ async def get_agent_auth_context_optional( if agent is None: if agent_token: logger.warning( - "agent auth optional invalid token path=%s", + "agent auth optional invalid token path=%s token_prefix=%s", request.url.path, + resolved[:6], ) return None await _touch_agent_presence(request, session, agent) diff --git a/backend/tests/test_security_fixes.py b/backend/tests/test_security_fixes.py index f701c3aa..58936466 100644 --- a/backend/tests/test_security_fixes.py +++ b/backend/tests/test_security_fixes.py @@ -530,21 +530,3 @@ class TestGatewayTokenRedaction: ) assert read.has_token is False - -# --------------------------------------------------------------------------- -# Task 17: Token prefix no longer logged -# --------------------------------------------------------------------------- - - -class TestAgentAuthNoTokenPrefix: - """Tests that agent auth no longer exposes token prefixes.""" - - def test_agent_auth_does_not_expose_token_prefix_symbol(self) -> None: - """Verify the agent_auth module has no token_prefix-related symbols.""" - from app.core import agent_auth - - # Assert that no attribute name on the module contains "token_prefix". - # This avoids brittle source inspection while still guarding against - # reintroducing token_prefix-based behavior. - for name in dir(agent_auth): - assert "token_prefix" not in name.lower()