yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

revert: restore truncated token_prefix in agent auth log messages

Browse Source 
A 6-character prefix of the token is standard practice for debugging
failed auth attempts and is not a security risk. Restored in both
required and optional auth paths, and removed the now-incorrect test
that asserted its absence.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 22:14:06 -07:00
committed by Abhimanyu Saharan
parent b2fb8a082d
commit 54279bf413
2 changed files with 4 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/app/core/agent_auth.py
View File

@@ -132,8 +132,9 @@ async def get_agent_auth_context(
agent = await _find_agent_for_token(session, resolved) agent = await _find_agent_for_token(session, resolved)
if agent is None: if agent is None:
logger.warning( logger.warning(
"agent auth invalid token path=%s", "agent auth invalid token path=%s token_prefix=%s",
request.url.path, request.url.path,
resolved[:6],
) )
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
await _touch_agent_presence(request, session, agent) await _touch_agent_presence(request, session, agent)
@@ -173,8 +174,9 @@ async def get_agent_auth_context_optional(
if agent is None: if agent is None:
if agent_token: if agent_token:
logger.warning( logger.warning(
"agent auth optional invalid token path=%s", "agent auth optional invalid token path=%s token_prefix=%s",
request.url.path, request.url.path,
resolved[:6],
) )
return None return None
await _touch_agent_presence(request, session, agent) await _touch_agent_presence(request, session, agent)

18
backend/tests/test_security_fixes.py
View File

@@ -530,21 +530,3 @@ class TestGatewayTokenRedaction:
) )
assert read.has_token is False assert read.has_token is False
# ---------------------------------------------------------------------------
# Task 17: Token prefix no longer logged
# ---------------------------------------------------------------------------
class TestAgentAuthNoTokenPrefix:
"""Tests that agent auth no longer exposes token prefixes."""
def test_agent_auth_does_not_expose_token_prefix_symbol(self) -> None:
"""Verify the agent_auth module has no token_prefix-related symbols."""
from app.core import agent_auth
# Assert that no attribute name on the module contains "token_prefix".
# This avoids brittle source inspection while still guarding against
# reintroducing token_prefix-based behavior.
for name in dir(agent_auth):
assert "token_prefix" not in name.lower()