Skip to content

Security: PII (email) in production warn logs — remove or redact #728

Description

@nadavosa

Problem

user.ts:251 logs an email address at warn level (always on in production):

logger.warn(`User with email ${email} not found.`);

auth.ts:64 logs an email at debug level:

logger.debug(`Attempting to authenticate: ${email}`);

opportunity.routes.ts:393 logs the full PATCH body at debug level, which may include appointmentAddress (refugee PII):

logger.debug(`PATCH /opportunity/{id} ${JSON.stringify(parseOpportunity(request.body))}`);

Under GDPR, email addresses and appointment addresses are personal data and must not appear in logs unless there's a documented retention and access control policy for those logs.

Fix

  • user.ts:251: Replace email with a non-PII identifier, e.g. logger.warn("User not found for login attempt."); or log a hash of the email if correlation is needed
  • auth.ts:64: Change from debug to remove email, or remove entirely (the JWT plugin already logs userId on success)
  • opportunity.routes.ts:393: Replace JSON.stringify(parseOpportunity(request.body)) with Object.keys(request.body) or a non-PII summary

Context

Part of pre-NGO-onboarding security audit. CLAUDE.md already states: "Never log personal data."

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions