go-pkgz / auth / 25572603805

85%

master: 85%

Pull #285

github

fix(sender/email): don't log email body, log size instead

The verify provider sends one-shot magic-link tokens by email; the
Email sender's debug log dumped the full body verbatim:

    [DEBUG] send "Confirmation token: <jwt>" to victim@example.com

Anyone with log access (centralized logging, crash bundles, support
tools, mail-gateway-adjacent observability) could redeem that token
within its TTL — independently of the legitimate recipient. The
verify-replay PR (#281) limits reuse to one consumption, but the
log-reader can still race the user for that one consumption.

Log only the recipient and the body length:

    [DEBUG] send 142-byte message to victim@example.com

Same fix in v1 (provider/sender/email.go:84) and v2
(v2/provider/sender/email.go:84), single PR.

Test: TestEmail_SendDoesNotLogBody captures logger output, sends a
known-secret body to a non-existent SMTP host, and asserts the body
substring is absent while the recipient is present. Added in both
modules.

1 of 1 new or added line in 1 file covered. (100.0%)

2798 of 3305 relevant lines covered (84.66%)

7.77 hits per line