cal/major-domo-database
1
0
Fork 0
Code Issues 25 Pull Requests 25 Actions Packages Projects Releases Wiki Activity

fix: remove token value from Bad Token log messages (#35) #45

Open
cal wants to merge 1 commits from ai/major-domo-database-35 into next-release
pull from: ai/major-domo-database-35
merge into: cal:next-release
Conversation 0 Commits 1 Files Changed 22 +73 -73
cal commented 2026-03-05 17:32:27 +00:00
Owner
Copy Link

Summary

Removes the raw bearer token value from logger.warning / logging.warning calls that logged Bad Token: {token} on 401 failures. These explicit log calls bypassed the redaction that @handle_db_errors provides.

Fix: Converted all f-string log messages to static strings — e.g., f'patch_play - Bad Token: {token}''patch_play - Bad Token'.

Files Changed

22 router files under app/routers_v3/:

  • stratplay/crud.py, sbaplayers.py, draftlist.py, divisions.py, views.py, decisions.py, stratgame.py, awards.py, standings.py, pitchingstats.py, current.py, battingstats.py, managers.py, transactions.py, keepers.py, schedules.py, injuries.py, custom_commands.py, draftpicks.py, results.py, help_commands.py, draftdata.py

Tests

No test suite for this repo — verified by grepping that no remaining Bad Token.*{token} interpolations exist in any router file.

Closes #35

## Summary Removes the raw bearer token value from `logger.warning` / `logging.warning` calls that logged `Bad Token: {token}` on 401 failures. These explicit log calls bypassed the redaction that `@handle_db_errors` provides. **Fix**: Converted all f-string log messages to static strings — e.g., `f'patch_play - Bad Token: {token}'` → `'patch_play - Bad Token'`. ## Files Changed 22 router files under `app/routers_v3/`: - `stratplay/crud.py`, `sbaplayers.py`, `draftlist.py`, `divisions.py`, `views.py`, `decisions.py`, `stratgame.py`, `awards.py`, `standings.py`, `pitchingstats.py`, `current.py`, `battingstats.py`, `managers.py`, `transactions.py`, `keepers.py`, `schedules.py`, `injuries.py`, `custom_commands.py`, `draftpicks.py`, `results.py`, `help_commands.py`, `draftdata.py` ## Tests No test suite for this repo — verified by grepping that no remaining `Bad Token.*{token}` interpolations exist in any router file. Closes #35
cal added 1 commit 2026-03-05 17:32:28 +00:00
fix: remove token value from Bad Token log messages (#35)
All checks were successful
Build Docker Image / build (pull_request) Successful in 2m6s
Details
4a8470cc7c 
Replace f-string log messages that interpolate the raw bearer token with
static strings that omit the token value entirely. Affected 22 router files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cal added the
ai-reviewing
 label 2026-03-05 17:45:36 +00:00
cal reviewed 2026-03-05 17:47:13 +00:00
cal left a comment
Author
Owner
Copy Link

AI Code Review

Files Reviewed

  • app/routers_v3/awards.py (modified)
  • app/routers_v3/battingstats.py (modified)
  • app/routers_v3/current.py (modified)
  • app/routers_v3/custom_commands.py (modified)
  • app/routers_v3/decisions.py (modified)
  • app/routers_v3/divisions.py (modified)
  • app/routers_v3/draftdata.py (modified)
  • app/routers_v3/draftlist.py (modified)
  • app/routers_v3/draftpicks.py (modified)
  • app/routers_v3/help_commands.py (modified)
  • app/routers_v3/injuries.py (modified)
  • app/routers_v3/keepers.py (modified)
  • app/routers_v3/managers.py (modified)
  • app/routers_v3/pitchingstats.py (modified)
  • app/routers_v3/results.py (modified)
  • app/routers_v3/sbaplayers.py (modified)
  • app/routers_v3/schedules.py (modified)
  • app/routers_v3/standings.py (modified)
  • app/routers_v3/stratgame.py (modified)
  • app/routers_v3/stratplay/crud.py (modified)
  • app/routers_v3/transactions.py (modified)
  • app/routers_v3/views.py (modified)

Findings

Correctness

  • Fix is mechanically correct throughout: all f-strings of the form f'... - Bad Token: {token}' are replaced with equivalent static strings. No logic is altered.
  • Coverage is complete. Grepping the pre-merge working tree confirms every Bad Token.*{token} interpolation in routers_v3/ appears in this diff — no occurrences were missed.
  • sbaplayers.py uses the module-level logging.warning (rather than the local logger.warning used elsewhere); the fix correctly handles both styles.

Security

  • Issue resolved. Raw bearer tokens were previously written to the rotating log file (/tmp/sba-database.log), bypassing any redaction performed by @handle_db_errors. The static-string approach correctly eliminates this exposure with no functional side-effects.
  • No new security issues introduced.

Style & Conventions

  • No issues. Changes are minimal and consistent with the existing patterns in the codebase.

Suggestions

  • Several log messages contain pre-existing copy-paste errors in the function name prefix (e.g., awards.py logs 'patch_player - Bad Token' in patch_award/post_award/delete_award; results.py uses 'patch_player - Bad Token' in post_results; views.py logs 'refresh_season_batting_stats - Bad Token' inside refresh_season_pitching_stats). These bugs predate this PR and are out of scope here, but worth a follow-up cleanup for easier log triage.

Verdict: APPROVED

Security fix is correct, complete, and minimal in scope. All 22 files are covered with no regressions introduced. Note: Gitea prevented a formal approval (cannot self-approve), but this review is a clean pass.

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `app/routers_v3/awards.py` (modified) - `app/routers_v3/battingstats.py` (modified) - `app/routers_v3/current.py` (modified) - `app/routers_v3/custom_commands.py` (modified) - `app/routers_v3/decisions.py` (modified) - `app/routers_v3/divisions.py` (modified) - `app/routers_v3/draftdata.py` (modified) - `app/routers_v3/draftlist.py` (modified) - `app/routers_v3/draftpicks.py` (modified) - `app/routers_v3/help_commands.py` (modified) - `app/routers_v3/injuries.py` (modified) - `app/routers_v3/keepers.py` (modified) - `app/routers_v3/managers.py` (modified) - `app/routers_v3/pitchingstats.py` (modified) - `app/routers_v3/results.py` (modified) - `app/routers_v3/sbaplayers.py` (modified) - `app/routers_v3/schedules.py` (modified) - `app/routers_v3/standings.py` (modified) - `app/routers_v3/stratgame.py` (modified) - `app/routers_v3/stratplay/crud.py` (modified) - `app/routers_v3/transactions.py` (modified) - `app/routers_v3/views.py` (modified) ### Findings #### Correctness - Fix is mechanically correct throughout: all f-strings of the form `f'... - Bad Token: {token}'` are replaced with equivalent static strings. No logic is altered. - Coverage is complete. Grepping the pre-merge working tree confirms every `Bad Token.*{token}` interpolation in `routers_v3/` appears in this diff — no occurrences were missed. - `sbaplayers.py` uses the module-level `logging.warning` (rather than the local `logger.warning` used elsewhere); the fix correctly handles both styles. #### Security - **Issue resolved.** Raw bearer tokens were previously written to the rotating log file (`/tmp/sba-database.log`), bypassing any redaction performed by `@handle_db_errors`. The static-string approach correctly eliminates this exposure with no functional side-effects. - No new security issues introduced. #### Style & Conventions - No issues. Changes are minimal and consistent with the existing patterns in the codebase. #### Suggestions - Several log messages contain pre-existing copy-paste errors in the function name prefix (e.g., `awards.py` logs `'patch_player - Bad Token'` in `patch_award`/`post_award`/`delete_award`; `results.py` uses `'patch_player - Bad Token'` in `post_results`; `views.py` logs `'refresh_season_batting_stats - Bad Token'` inside `refresh_season_pitching_stats`). These bugs predate this PR and are out of scope here, but worth a follow-up cleanup for easier log triage. ### Verdict: APPROVED Security fix is correct, complete, and minimal in scope. All 22 files are covered with no regressions introduced. Note: Gitea prevented a formal approval (cannot self-approve), but this review is a clean pass. --- *Automated review by Claude PR Reviewer*
cal added the
ai-reviewed
 label 2026-03-05 17:47:44 +00:00
cal changed target branch from main to next-release 2026-03-07 07:32:38 +00:00
cal removed the
ai-reviewing
 label 2026-03-23 15:32:49 +00:00
All checks were successful
Build Docker Image / build (pull_request) Successful in 2m6s
Details
This pull request has changes conflicting with the target branch.
  • app/routers_v3/awards.py
  • app/routers_v3/battingstats.py
  • app/routers_v3/current.py
  • app/routers_v3/custom_commands.py
  • app/routers_v3/decisions.py
  • app/routers_v3/divisions.py
  • app/routers_v3/draftlist.py
  • app/routers_v3/draftpicks.py
  • app/routers_v3/help_commands.py
  • app/routers_v3/injuries.py
View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin ai/major-domo-database-35:ai/major-domo-database-35
git checkout ai/major-domo-database-35
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ai-changes-requested

   
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-reviewing

   
ai-working
No Label
ai-changes-requested
ai-pr-opened
ai-reviewed
ai-reviewing
ai-reviewing
ai-working
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-database#45
No description provided.
Delete Branch "ai/major-domo-database-35"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?