security(oauth): enable client auth and remove token logging

nickytonline · claude · nickytonline · commit 14459ac8f6f0 · 2025-10-08T11:17:52.000-04:00
- Enable client authentication for authorization code flow (OAuth 2.1 compliance) - Remove sensitive token fragments from log messages - Replace token substrings with token length for debugging - Improves security by preventing token exposure in logs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/auth/discovery.ts b/src/auth/discovery.ts
@@ -133,8 +133,7 @@ export function createAuthorizeHandler(oauthServer: OAuth2Server) {
 
       logger.info("Authorization code granted", { 
         clientId: authorizationCode.client.id,
-        userId: user.id,
-        code: authorizationCode.authorizationCode.substring(0, 8) + "..."
+        userId: user.id
       });
 
       // Redirect back to client with authorization code
diff --git a/src/auth/oauth-provider.ts b/src/auth/oauth-provider.ts
@@ -126,14 +126,14 @@ export class OAuthProvider {
     
     const codeData = this.#authorizationCodes.get(code);
     if (!codeData) {
-      logger.warn("Invalid authorization code", { code: code.substring(0, 8) + "..." });
+      logger.warn("Invalid authorization code", { codeLength: code.length });
       return null;
     }
 
     // Check expiration
     if (codeData.expiresAt < new Date()) {
       this.#authorizationCodes.delete(code);
-      logger.warn("Expired authorization code", { code: code.substring(0, 8) + "..." });
+      logger.warn("Expired authorization code", { codeLength: code.length });
       return null;
     }
 
@@ -150,7 +150,7 @@ export class OAuthProvider {
 
     // PKCE verification
     if (!this.verifyPKCE(codeVerifier, codeData.codeChallenge)) {
-      logger.warn("PKCE verification failed", { code: code.substring(0, 8) + "..." });
+      logger.warn("PKCE verification failed", { codeLength: code.length });
       return null;
     }
 
diff --git a/src/auth/oauth-server.ts b/src/auth/oauth-server.ts
@@ -156,7 +156,7 @@ export class ManagedOAuthServer {
       },
       
       // OAuth 2.1 configuration
-      requireClientAuthentication: { authorization_code: false },
+      requireClientAuthentication: { authorization_code: true },
       allowBearerTokensInQueryString: false,
       accessTokenLifetime: 3600, // 1 hour
       authorizationCodeLifetime: 600, // 10 minutes
