From 2af64b6068079e9319fafe9270df30bb95147e19 Mon Sep 17 00:00:00 2001
From: plind-dm <59729252+plind-dm@users.noreply.github.com>
Date: Fri, 3 Apr 2026 23:50:45 +0900
Subject: [PATCH] fix(security): redact Bearer tokens from server log output

Pino logged full Authorization headers in plaintext to server.log,
exposing JWT tokens to any process with filesystem read access.
Add redact paths so Bearer values appear as [Redacted] in log output.

Closes #2385
---
 server/src/middleware/logger.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/src/middleware/logger.ts b/server/src/middleware/logger.ts
index b268ebf3..b2c807cc 100644
--- a/server/src/middleware/logger.ts
+++ b/server/src/middleware/logger.ts
@@ -28,6 +28,7 @@ const sharedOpts = {
 
 export const logger = pino({
   level: "debug",
+  redact: ["req.headers.authorization", "req.headers[\"authorization\"]"],
 }, pino.transport({
   targets: [
     {