From 5548820e24f33e37457983b5b2d8481028c537d0 Mon Sep 17 00:00:00 2001 From: Shinsuke Sugaya Date: Sun, 15 Mar 2026 16:53:50 +0900 Subject: [PATCH] fix(security): mask sensitive tokens in EntraIdAuthenticator debug logs Truncate idToken and refreshToken to first 8 characters in debug log output to prevent full token exposure in log files. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../org/codelibs/fess/sso/entraid/EntraIdAuthenticator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/codelibs/fess/sso/entraid/EntraIdAuthenticator.java b/src/main/java/org/codelibs/fess/sso/entraid/EntraIdAuthenticator.java index 94622af151..d3340e2e8e 100644 --- a/src/main/java/org/codelibs/fess/sso/entraid/EntraIdAuthenticator.java +++ b/src/main/java/org/codelibs/fess/sso/entraid/EntraIdAuthenticator.java @@ -333,7 +333,7 @@ protected AuthenticationResponse parseAuthenticationResponse(final String url, f protected void validateNonce(final StateData stateData, final IAuthenticationResult authData) { final String idToken = authData.idToken(); if (logger.isDebugEnabled()) { - logger.debug("idToken={}", idToken); + logger.debug("idToken={}***", idToken.substring(0, Math.min(8, idToken.length()))); } try { final JWTClaimsSet claimsSet = JWTParser.parse(idToken).getJWTClaimsSet(); @@ -363,7 +363,7 @@ protected void validateNonce(final StateData stateData, final IAuthenticationRes public IAuthenticationResult getAccessToken(final String refreshToken) { final String authority = getAuthority() + getTenant() + "/"; if (logger.isDebugEnabled()) { - logger.debug("refreshToken={}, authority={}", refreshToken, authority); + logger.debug("refreshToken={}***, authority={}", refreshToken.substring(0, Math.min(8, refreshToken.length())), authority); } try { final ConfidentialClientApplication app = ConfidentialClientApplication