Secret console#4
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the JwtStrategy to enhance logging for the Keycloak public key configuration, including error reporting for missing keys and logging the full key value. A security concern was identified regarding the exposure of the full cryptographic key in logs, which could lead to sensitive data leakage if misconfigured. It is recommended to log only the key's length instead.
| logger.log(`KEYCLOAK_REALM_RSA_PUBLIC_KEY length: ${publicKey.length}`); | ||
| logger.log(`KEYCLOAK_REALM_RSA_PUBLIC_KEY full value:\n${publicKey}`); |
There was a problem hiding this comment.
Logging the full content of a cryptographic key (even a public one) is a security risk. If the environment variable is misconfigured to contain a private key, it will be exposed in the logs. It is recommended to only log the length or a truncated version of the key to verify its presence.
| logger.log(`KEYCLOAK_REALM_RSA_PUBLIC_KEY length: ${publicKey.length}`); | |
| logger.log(`KEYCLOAK_REALM_RSA_PUBLIC_KEY full value:\n${publicKey}`); | |
| logger.log('KEYCLOAK_REALM_RSA_PUBLIC_KEY loaded (length: ' + publicKey.length + ')'); |
1 participant
No description provided.