Log CLI auth token correlation fields (#631)

Author: jahooma

freebuff/web/src/app/api/auth/cli/code/route.ts

@@ -8,7 +8,10 @@ import { and, eq, gt } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod/v4'
 
-import { buildCliAuthCode } from '@/app/onboard/_helpers'
+import {
+  buildCliAuthCode,
+  getCliAuthCodeHashPrefix,
+} from '@/app/onboard/_helpers'
 import { logger } from '@/util/logger'
 
 import { getLoginUrlOrigin } from './_origin'
@@ -82,6 +85,25 @@ export async function POST(req: Request) {
     )
     loginUrl.searchParams.set('auth_code', loginToken)
 
+    logger.info(
+      {
+        authCodeTokenHashPrefix: getCliAuthCodeHashPrefix(loginToken),
+        authCodeTokenLength: loginToken.length,
+        fingerprintIdPrefix: fingerprintId.slice(0, 24),
+        fingerprintIdLength: fingerprintId.length,
+        expiresAt,
+        loginUrlOrigin: loginUrl.origin,
+        requestOrigin: new URL(req.url).origin,
+        requestHost: req.headers.get('host'),
+        forwardedHost: req.headers.get('x-forwarded-host'),
+        forwardedProto: req.headers.get('x-forwarded-proto'),
+        originHeader: req.headers.get('origin'),
+        configuredAppUrl: env.NEXT_PUBLIC_CODEBUFF_APP_URL,
+        environment: env.NEXT_PUBLIC_CB_ENVIRONMENT,
+      },
+      'Issued Freebuff CLI auth code token',
+    )
+
     return NextResponse.json({
       fingerprintId,
       fingerprintHash,

freebuff/web/src/app/onboard/__tests__/helpers.test.ts

@@ -3,6 +3,7 @@ import { afterEach, beforeEach, describe, expect, test } from 'bun:test'
 
 import {
   buildCliAuthCode,
+  getCliAuthCodeHashPrefix,
   isAuthCodeExpired,
   isOpaqueCliAuthCodeToken,
   parseAuthCode,
@@ -110,6 +111,13 @@ describe('freebuff onboard/_helpers', () => {
       expect(isOpaqueCliAuthCodeToken(`${'A'.repeat(42)}.`)).toBe(false)
     })
 
+    test('hashes auth codes for log correlation without logging the token', () => {
+      expect(getCliAuthCodeHashPrefix('a'.repeat(43))).toBe('66d34fba71f8')
+      expect(getCliAuthCodeHashPrefix(` ${'a'.repeat(43)}\n`)).toBe(
+        '66d34fba71f8',
+      )
+    })
+
     test('resolves an opaque browser token before validation', async () => {
       const expiresAt = '4102444800000'
       const fingerprintHash = genAuthCode(

freebuff/web/src/app/onboard/_helpers.ts

@@ -1,3 +1,5 @@
+import { createHash } from 'node:crypto'
+
 import { genAuthCode } from '@codebuff/common/util/credentials'
 
 const OPAQUE_CLI_AUTH_CODE_TOKEN_RE = /^[A-Za-z0-9_-]{43}$/
@@ -14,6 +16,10 @@ export function isOpaqueCliAuthCodeToken(authCode: string): boolean {
   return OPAQUE_CLI_AUTH_CODE_TOKEN_RE.test(authCode.trim())
 }
 
+export function getCliAuthCodeHashPrefix(authCode: string): string {
+  return createHash('sha256').update(authCode.trim()).digest('hex').slice(0, 12)
+}
+
 export async function resolveCliAuthCode(
   authCode: string,
   consumeCliAuthCodeToken: (authCodeToken: string) => Promise<string | null>,

freebuff/web/src/app/onboard/page.tsx

@@ -12,7 +12,9 @@ import {
   hasCliSessionForAuthHash,
 } from './_db'
 import {
+  getCliAuthCodeHashPrefix,
   isAuthCodeExpired,
+  isOpaqueCliAuthCodeToken,
   parseAuthCode,
   resolveCliAuthCode,
   validateAuthCode,
@@ -112,8 +114,12 @@ const Onboard = async ({ searchParams }: PageProps) => {
     logger.warn(
       {
         authCodeLength: authCode.length,
+        authCodeTrimmedLength: authCode.trim().length,
+        authCodeHashPrefix: getCliAuthCodeHashPrefix(authCode),
+        isOpaqueAuthCodeToken: isOpaqueCliAuthCodeToken(authCode),
         resolvedAuthCode: resolvedOpaqueToken,
         resolvedAuthCodeLength: resolvedAuthCode.length,
+        userId: user.id,
         dotCount: authCode.match(/\./g)?.length ?? 0,
         hyphenCount: authCode.match(/-/g)?.length ?? 0,
         fingerprintIdPrefix: fingerprintId.slice(0, 24),

web/src/app/api/auth/cli/code/route.ts

@@ -8,7 +8,10 @@ import { and, eq, gt } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod/v4'
 
-import { buildCliAuthCode } from '@/app/onboard/_helpers'
+import {
+  buildCliAuthCode,
+  getCliAuthCodeHashPrefix,
+} from '@/app/onboard/_helpers'
 import { logger } from '@/util/logger'
 
 import { getLoginUrlOrigin } from './_origin'
@@ -84,6 +87,25 @@ export async function POST(req: Request) {
     )
     loginUrl.searchParams.set('auth_code', loginToken)
 
+    logger.info(
+      {
+        authCodeTokenHashPrefix: getCliAuthCodeHashPrefix(loginToken),
+        authCodeTokenLength: loginToken.length,
+        fingerprintIdPrefix: fingerprintId.slice(0, 24),
+        fingerprintIdLength: fingerprintId.length,
+        expiresAt,
+        loginUrlOrigin: loginUrl.origin,
+        requestOrigin: new URL(req.url).origin,
+        requestHost: req.headers.get('host'),
+        forwardedHost: req.headers.get('x-forwarded-host'),
+        forwardedProto: req.headers.get('x-forwarded-proto'),
+        originHeader: req.headers.get('origin'),
+        configuredAppUrl: env.NEXT_PUBLIC_CODEBUFF_APP_URL,
+        environment: env.NEXT_PUBLIC_CB_ENVIRONMENT,
+      },
+      'Issued Codebuff CLI auth code token',
+    )
+
     return NextResponse.json({
       fingerprintId,
       fingerprintHash,

web/src/app/onboard/__tests__/helpers.test.ts

@@ -3,6 +3,7 @@ import { afterEach, beforeEach, describe, expect, test } from 'bun:test'
 
 import {
   buildCliAuthCode,
+  getCliAuthCodeHashPrefix,
   isAuthCodeExpired,
   isOpaqueCliAuthCodeToken,
   parseAuthCode,
@@ -238,6 +239,13 @@ describe('onboard/_helpers', () => {
       expect(isOpaqueCliAuthCodeToken(`${'A'.repeat(42)}.`)).toBe(false)
     })
 
+    test('hashes auth codes for log correlation without logging the token', () => {
+      expect(getCliAuthCodeHashPrefix('a'.repeat(43))).toBe('66d34fba71f8')
+      expect(getCliAuthCodeHashPrefix(` ${'a'.repeat(43)}\n`)).toBe(
+        '66d34fba71f8',
+      )
+    })
+
     test('resolves an opaque browser token before validation', async () => {
       const expiresAt = '4102444800000'
       const fingerprintHash = genAuthCode(

web/src/app/onboard/_helpers.ts

@@ -1,3 +1,5 @@
+import { createHash } from 'node:crypto'
+
 import { genAuthCode } from '@codebuff/common/util/credentials'
 
 const OPAQUE_CLI_AUTH_CODE_TOKEN_RE = /^[A-Za-z0-9_-]{43}$/
@@ -14,6 +16,10 @@ export function isOpaqueCliAuthCodeToken(authCode: string): boolean {
   return OPAQUE_CLI_AUTH_CODE_TOKEN_RE.test(authCode.trim())
 }
 
+export function getCliAuthCodeHashPrefix(authCode: string): string {
+  return createHash('sha256').update(authCode.trim()).digest('hex').slice(0, 12)
+}
+
 export async function resolveCliAuthCode(
   authCode: string,
   consumeCliAuthCodeToken: (authCodeToken: string) => Promise<string | null>,