Conversation
…vents - Add token activity logging to token generation and verification - Add session logging for logout events - Add system startup logging - Create migration scripts for three new Supabase tables - token_activity_logs: Track token lifecycle events - session_logs: Track session activities (logout, logout_all) - system_logs: Track server startup and system events - Update authController to pass userId for better session tracking - Include security vulnerability analysis document BRANCH: Logging_in_NutriHelp STATUS: Code implementation complete, database tables pending creation
…vents - Add token activity logging to token generation and verification - Add session logging for logout events - Add system startup logging - Create migration scripts for three new Supabase tables - token_activity_logs: Track token lifecycle events - session_logs: Track session activities (logout, logout_all) - system_logs: Track server startup and system events - Update authController to pass userId for better session tracking - Include security vulnerability analysis document BRANCH: Logging_in_NutriHelp STATUS: Code implementation complete, database tables pending creation
…conflict in SECURITY_VULNERABILITY_ANALYSIS.md Using local version with enhanced vulnerability analysis including: - Actual vulnerable code from repository - Fix tracking checklist - Fixed code examples for verification
SECURITY FIXES: - Remove token payload logging from authService.js line 147 Prevented exposure of userId, email, role in logs - Remove full JWT token logging from authService.js line 158 Prevented exposure of complete authentication tokens (15-min validity) - Remove decoded token payload logging from authService.js line 310 Prevented exposure on every authenticated request (11,000+ logs/day for 100 users) - Remove MFA token code from logging in addMfaToken.js line 46 Prevented exposure of 6-digit 2FA codes in error messages IMPACT: Eliminates console-based token exposure Maintains persistent database logging (Supabase) for audit trails Complies with GDPR, ISO 27001, SOC 2, PCI DSS requirements No functional changes to authentication flow All fixes verified for syntax correctness. Analysis document updated with verification status.
|
Hi Himanshi , Thanks for the update At the moment, this PR cannot be merged because services/authService.js still contains unresolved merge conflict markers (<<<<<<< Logging_in_NutriHelp, =======, >>>>>>> master). Please resolve the conflict and push an updated commit. When resolving, please also explain which auth/session implementation you are keeping and why, because the two sides differ in security-critical areas: Supabase client usage Your branch uses supabase.from(...) in several places, but this file currently defines supabaseAnon and supabaseService. Please ensure you use the correct client consistently (likely supabaseService for session token writes/updates). Session/refresh token storage model master uses user_sessiontoken with hashed refresh tokens + lookup hash and deactivates old sessions. Your branch uses user_session and appears to store refresh token values directly. Logging Avoid adding new console.log(...) in auth flows (e.g., refresh token query result), and avoid logging anything that could be sensitive. Once the conflict is resolved and the final approach matches the repo’s current session/token design, I can re-review. Thanks King Hei |
Hi King, thanks for the review, the Conflicts are resolved. Aligned with master’s hashed refresh token model, removed sensitive logging, and used supabaseService for session writes. I've pushed the code again, please let me know if thats fine and good for merge/ or any changes still required to be done |
2 participants
Logging Security Vulnerabilities Analysis.md file created - identified critical logging vulnerabilities
Identified and noted the logging gaps in backend and made the console-based logging to persistent logging in the backend files.