SFU access_token parameter is logged unredacted

[hughns]

Describe the bug

What I'm expecting

Log lines like this:

connecting to wss://some.sfu.com/rtc?access_token=<redacted JWT>&auto_subscribe=1&sdk=js&version=2.5.0&protocol=15&adaptive_stream=1&network=wifi [object Object] |

What happens instead

connecting to wss://some.sfu.com/rtc?access_token=unredactedJWT&auto_subscribe=1&sdk=js&version=2.5.0&protocol=15&adaptive_stream=1&network=wifi [object Object] |

Reproduction

Enable debug logging and connect to SFU.

Logs

No response

System Info

Any browser.

Severity

annoyance

Additional Information

The logging in question is at

client-sdk-js/src/api/SignalClient.ts

Line 297 in 5abc169

this.log.debug(`connecting to ${url + params}`, this.logContext);

[lukasIO]

hi @hughns

is this a security concern for you?
The token can be seen in the network requests unredacted anyways

[hughns]

It's a minor security concern for the case of where console logs are shared or centrally logged and the JWT is unintentionally "leaked".

Depending on the expiry and scope of the allowed permissions by the JWT this might not be a major issue. But, if we simply don't log the token then this side steps any issue.