Token being logged by agent container?

[lonix1]

When looking through an agent container's logs, I found this:

$ docker logs woodpecker-agent-1
2023/09/04 11:20:39 Token refreshed: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2023/09/04 11:50:39 Token refreshed: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2023/09/04 12:20:39 Token refreshed: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Logs are not secure; for example they might be redirected to a log aggregation tool. So the token would become compromised.

However that token "xxxx" is not the same as the "personal access token". What is it? Is it maybe a one-time token of some kind (which would be "safe" to log in this case)?

[anbraten]

It seems to be coming from the cron scheduler:

woodpecker/server/cron/cron.go

Line 129 in 503252d

log.Debug().Msgf("token refreshed: %t", refreshed)

The token is the oauth token used to authenticate as your user against the forge.

[lonix1]

Thanks. The thing is, I wrote "xxxx" above, but actually it is different each time.

So I thought maybe it's a one-time token, i.e. can only be used once?

If so, then it's not ideal to be logged, but nonetheless safe. Otherwise it needs some safety consideration.

[anbraten]

IMO we could just remove the actual token from the log line. Would be happy to accept a PR 😉