배포#25
Conversation
[#19] fix: 토큰 내부 claims로 travelItineraryId와 userId 파싱
docker-compose env_file 추가
There was a problem hiding this comment.
Code Review
This pull request transitions the extraction of travelItineraryId from query parameters to the token payload within SecondaryTokenAuthenticator.js, while also introducing extensive logging for WebSocket lifecycle events in TravelDocWebSocketServer.js. Feedback was provided regarding a potential sensitive data exposure in the URL sanitization logic, where a fallback is needed to ensure tokens are redacted even if URL parsing fails.
| } catch { | ||
| return req.url ?? "/"; | ||
| } |
There was a problem hiding this comment.
The catch block in sanitizeRequestUrl returns the original req.url if parsing fails. If the URL contains a sensitive secondaryToken and the parser throws an error (e.g., due to a malformed host header or an invalid URL structure), the unredacted token will be logged. It is safer to return a generic string or perform a basic string replacement as a fallback to prevent sensitive data exposure in logs.
| } catch { | |
| return req.url ?? "/"; | |
| } | |
| } catch { | |
| return (req.url ?? "/").replace(/secondaryToken=[^&]*/g, "secondaryToken=[redacted]"); | |
| } |
No description provided.