Skip to content

Tech Story: Remove debug artifacts and fix password reset token log exposure #99

Open
Open
Tech Story: Remove debug artifacts and fix password reset token log exposure#99
Labels
backendBackend services and logicsecuritySecurity, auth, and permissionstech-storyTechnical implementation story
Milestone
v0.1.0 — Security Hardening
@GitAddRemote

Description

@GitAddRemote
GitAddRemote
opened on Mar 30, 2026

Tech Story

As a platform engineer, I want debug code and accidental secret exposure removed from the codebase so that production logs, API docs, and source code do not leak sensitive information or expose unnecessary attack surface.

Context

Three specific issues found in audit:

  1. GET /auth/test — A debug endpoint that runs a bcrypt demo with a hardcoded password and console.logs the result. Publicly accessible, no auth required.
  2. Password reset token in logsrequestPasswordReset() logs the raw reset token and full reset URL to the application log. In any log aggregation system, this token is now accessible to anyone with log access — not just DB access.
  3. Swagger UI in production/api/docs is unconditionally mounted with persistAuthorization: true, publicly documenting all endpoints and persisting credentials in the browser.

Acceptance Criteria

  • GET /auth/test endpoint and its bcrypt import removed from AuthController
  • Password reset token and reset URL no longer written to any log; the TODO comment is preserved to indicate email sending is not yet implemented
  • Swagger UI only mounted when NODE_ENV !== 'production'
  • persistAuthorization: true removed from Swagger options (credentials should not persist in the browser)
  • No console.log calls remain in AuthController or AuthService

Technical Elaboration

  • In auth.controller.ts: delete the @Get('test') method and the bcrypt import
  • In auth.service.ts requestPasswordReset(): replace the two this.logger.log() calls that include the token/URL with a single neutral log: this.logger.log(Password reset requested for user ID: ${user.id})
  • In main.ts: wrap the entire Swagger DocumentBuilder / SwaggerModule.setup block with if (process.env.NODE_ENV !== 'production') { ... }

Notes

  • The password reset email flow itself (TODO: Send email) is out of scope for this issue — just remove the log exposure
  • After this change, developers testing password reset locally will need to query the DB directly for the token until the email service is implemented

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendBackend services and logicsecuritySecurity, auth, and permissionstech-storyTechnical implementation story

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions