fix: remove token value from Bad Token log warnings (#79) #85

Open

Claude wants to merge 1 commits from issue/79-stop-logging-raw-auth-tokens-in-warning-messages into main

pull from: issue/79-stop-logging-raw-auth-tokens-in-warning-messages

merge into: cal:main

cal:main

cal:issue/101-fieldingstats-get-totalstats-total-count-overwritt

cal:issue/71-refactor-manual-db-close-calls-to-middleware-based

cal:fix/remove-hardcoded-webhook

cal:issue/81-add-migration-tracking-system

cal:issue/74-add-missing-indexes-on-foreign-key-columns-in-high

cal:issue/69-boolean-fields-compared-as-integers-sqlite-pattern

cal:issue/75-fix-n-1-query-pattern-in-standings-recalculation

cal:issue/77-replace-row-by-row-delete-with-bulk-delete-in-care

cal:issue/82-align-python-version-between-docker-image-3-11-and

cal:issue/76-replace-deprecated-pydantic-dict-with-model-dump

cal:issue/70-remove-sqlite-fallback-code-from-db-engine-py

cal:issue/78-fix-discord-id-type-mismatch-between-model-charfie

cal:issue/80-disable-autoconnect-and-set-pool-timeout-on-pooled

cal:issue/73-add-type-annotations-to-untyped-query-parameters

cal:ai/major-domo-database-66

cal:ai/major-domo-database-65

cal:next-release

cal:ai/major-domo-database-38

cal:ai/major-domo-database-27

cal:ai/major-domo-database-19

cal:ai/major-domo-database-20

cal:ai/major-domo-database-22

cal:ai/major-domo-database-26

cal:ai/major-domo-database-31

cal:ai/major-domo-database-35

cal:feat/sbaplayer-id-plays-filter

cal:chore/optimize-claude-md

Conversation 0 Commits 1 Files Changed 22 +73 -73

Claude commented 2026-03-27 04:32:57 +00:00

Collaborator

Copy Link

Closes #79

Summary

Removed : {token} interpolation from all Bad Token logger/logging warning messages across 22 router files (73 occurrences). Auth tokens were being written to the log file in plaintext on every failed authentication attempt.

Changes

• app/routers_v3/awards.py
• app/routers_v3/battingstats.py
• app/routers_v3/current.py
• app/routers_v3/custom_commands.py
• app/routers_v3/decisions.py
• app/routers_v3/divisions.py
• app/routers_v3/draftdata.py
• app/routers_v3/draftlist.py
• app/routers_v3/draftpicks.py
• app/routers_v3/help_commands.py
• app/routers_v3/injuries.py
• app/routers_v3/keepers.py
• app/routers_v3/managers.py
• app/routers_v3/pitchingstats.py
• app/routers_v3/results.py
• app/routers_v3/sbaplayers.py
• app/routers_v3/schedules.py
• app/routers_v3/standings.py
• app/routers_v3/stratgame.py
• app/routers_v3/transactions.py
• app/routers_v3/views.py
• app/routers_v3/stratplay/crud.py

Before / After

# Before
logger.warning(f"patch_transactions - Bad Token: {token}")

# After
logger.warning("patch_transactions - Bad Token")

Unnecessary f-string prefix also removed since these strings no longer contain format variables.

Test Results

No test suite — verified changes by confirming zero remaining Bad Token.*{token} patterns via grep.

Closes #79 ## Summary Removed `: {token}` interpolation from all `Bad Token` logger/logging warning messages across 22 router files (73 occurrences). Auth tokens were being written to the log file in plaintext on every failed authentication attempt. ## Changes - `app/routers_v3/awards.py` - `app/routers_v3/battingstats.py` - `app/routers_v3/current.py` - `app/routers_v3/custom_commands.py` - `app/routers_v3/decisions.py` - `app/routers_v3/divisions.py` - `app/routers_v3/draftdata.py` - `app/routers_v3/draftlist.py` - `app/routers_v3/draftpicks.py` - `app/routers_v3/help_commands.py` - `app/routers_v3/injuries.py` - `app/routers_v3/keepers.py` - `app/routers_v3/managers.py` - `app/routers_v3/pitchingstats.py` - `app/routers_v3/results.py` - `app/routers_v3/sbaplayers.py` - `app/routers_v3/schedules.py` - `app/routers_v3/standings.py` - `app/routers_v3/stratgame.py` - `app/routers_v3/transactions.py` - `app/routers_v3/views.py` - `app/routers_v3/stratplay/crud.py` ## Before / After ```python # Before logger.warning(f"patch_transactions - Bad Token: {token}") # After logger.warning("patch_transactions - Bad Token") ``` Unnecessary `f`-string prefix also removed since these strings no longer contain format variables. ## Test Results No test suite — verified changes by confirming zero remaining `Bad Token.*{token}` patterns via grep.

Claude added 1 commit 2026-03-27 04:32:59 +00:00

fix: remove token value from Bad Token log warnings (#79) ... d06db9a9bb

Closes #79

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Claude referenced this pull request 2026-03-27 04:33:06 +00:00

Stop logging raw auth tokens in warning messages #79

Claude added the

ai-reviewing

label 2026-03-27 04:45:52 +00:00

Claude reviewed 2026-03-27 04:46:54 +00:00

Claude left a comment

Author

Collaborator

Copy Link

AI Code Review

Files Reviewed

• app/routers_v3/awards.py (modified)
• app/routers_v3/battingstats.py (modified)
• app/routers_v3/current.py (modified)
• app/routers_v3/custom_commands.py (modified)
• app/routers_v3/decisions.py (modified)
• app/routers_v3/divisions.py (modified)
• app/routers_v3/draftdata.py (modified)
• app/routers_v3/draftlist.py (modified)
• app/routers_v3/draftpicks.py (modified)
• app/routers_v3/help_commands.py (modified)
• app/routers_v3/injuries.py (modified)
• app/routers_v3/keepers.py (modified)
• app/routers_v3/managers.py (modified)
• app/routers_v3/pitchingstats.py (modified)
• app/routers_v3/results.py (modified)
• app/routers_v3/sbaplayers.py (modified)
• app/routers_v3/schedules.py (modified)
• app/routers_v3/standings.py (modified)
• app/routers_v3/stratgame.py (modified)
• app/routers_v3/transactions.py (modified)
• app/routers_v3/views.py (modified)
• app/routers_v3/stratplay/crud.py (modified)

Findings

Correctness

• All 22 files updated. The {token} f-string interpolation is removed from every Bad Token log warning across the codebase.
• The f"..." prefix is also correctly removed from each affected line since no format variables remain.
• sbaplayers.py uses logging.warning (module-level) rather than a local logger instance — both patterns are handled correctly.
• Coverage confirmed: no remaining Bad Token.*{token} patterns in the diff.

Security

• Fix confirmed: Bearer tokens are no longer written to /tmp/sba-database.log on failed auth attempts. This is the correct remediation for issue #79.
• This is a re-implementation of PR #45 (approved but not merged before the next-release → main merge at #64). The approach is identical and correct.

Style & Conventions

• No style regressions introduced. draftdata.py retains its pre-existing single-quote style — not changed by this PR.

Suggestions

• Pre-existing copy-paste bugs in log message function name prefixes remain in several files (e.g., awards.py logs "patch_player - Bad Token" for all 3 of its auth checks; results.py logs "patch_player - Bad Token" for post_results and patch_result; current.py logs "patch_current - Bad Token" for its delete handler; draftlist.py logs "post_draftlist - Bad Token" for get_draftlist; views.py logs "refresh_season_batting_stats - Bad Token" for refresh_season_pitching_stats). These are pre-existing and out of scope for this PR but worth a follow-up cleanup.

Verdict: COMMENT

Clean, complete implementation. All 22 files updated, f-strings correctly removed, both logger and logging call styles handled. No issues found. Posting as COMMENT because Gitea blocks self-approval.

---

Automated review by Claude PR Reviewer

## AI Code Review ### Files Reviewed - `app/routers_v3/awards.py` (modified) - `app/routers_v3/battingstats.py` (modified) - `app/routers_v3/current.py` (modified) - `app/routers_v3/custom_commands.py` (modified) - `app/routers_v3/decisions.py` (modified) - `app/routers_v3/divisions.py` (modified) - `app/routers_v3/draftdata.py` (modified) - `app/routers_v3/draftlist.py` (modified) - `app/routers_v3/draftpicks.py` (modified) - `app/routers_v3/help_commands.py` (modified) - `app/routers_v3/injuries.py` (modified) - `app/routers_v3/keepers.py` (modified) - `app/routers_v3/managers.py` (modified) - `app/routers_v3/pitchingstats.py` (modified) - `app/routers_v3/results.py` (modified) - `app/routers_v3/sbaplayers.py` (modified) - `app/routers_v3/schedules.py` (modified) - `app/routers_v3/standings.py` (modified) - `app/routers_v3/stratgame.py` (modified) - `app/routers_v3/transactions.py` (modified) - `app/routers_v3/views.py` (modified) - `app/routers_v3/stratplay/crud.py` (modified) ### Findings #### Correctness - All 22 files updated. The `{token}` f-string interpolation is removed from every `Bad Token` log warning across the codebase. - The `f"..."` prefix is also correctly removed from each affected line since no format variables remain. - `sbaplayers.py` uses `logging.warning` (module-level) rather than a local `logger` instance — both patterns are handled correctly. - Coverage confirmed: no remaining `Bad Token.*{token}` patterns in the diff. #### Security - **Fix confirmed**: Bearer tokens are no longer written to `/tmp/sba-database.log` on failed auth attempts. This is the correct remediation for issue #79. - This is a re-implementation of PR #45 (approved but not merged before the `next-release` → `main` merge at #64). The approach is identical and correct. #### Style & Conventions - No style regressions introduced. `draftdata.py` retains its pre-existing single-quote style — not changed by this PR. #### Suggestions - Pre-existing copy-paste bugs in log message function name prefixes remain in several files (e.g., `awards.py` logs `"patch_player - Bad Token"` for all 3 of its auth checks; `results.py` logs `"patch_player - Bad Token"` for `post_results` and `patch_result`; `current.py` logs `"patch_current - Bad Token"` for its delete handler; `draftlist.py` logs `"post_draftlist - Bad Token"` for `get_draftlist`; `views.py` logs `"refresh_season_batting_stats - Bad Token"` for `refresh_season_pitching_stats`). These are pre-existing and out of scope for this PR but worth a follow-up cleanup. ### Verdict: COMMENT Clean, complete implementation. All 22 files updated, f-strings correctly removed, both `logger` and `logging` call styles handled. No issues found. Posting as COMMENT because Gitea blocks self-approval. --- *Automated review by Claude PR Reviewer*

Claude added

ai-reviewed

and removed

ai-reviewing

labels 2026-03-27 04:47:16 +00:00

All checks were successful

Hide all checks

Build Docker Image / build (pull_request) Successful in 2m18s

Details

This pull request doesn't have enough approvals yet. 0 of 1 approvals granted.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin issue/79-stop-logging-raw-auth-tokens-in-warning-messages:issue/79-stop-logging-raw-auth-tokens-in-warning-messages

git checkout issue/79-stop-logging-raw-auth-tokens-in-warning-messages

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

ai-changes-requested

  

ai-pr-opened

  

ai-reviewed

  

ai-reviewing

  

ai-reviewing

  

ai-working

No Label

ai-changes-requested

ai-pr-opened

ai-reviewed

ai-reviewing

ai-reviewing

ai-working

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-database#85

No description provided.