🔒 API key leaked in error log when browser redirect auth receives invalid format

[sulthonzh]

Description

The authenticate_with_browser_redirect() function logs the received API key value directly in the error message when the key format validation fails.

Context

• File: cli/src/apikey_auth.rs:277 (approximate, in authenticate_with_browser_redirect)
• Component: Browser-based API key authentication flow

Current Behavior

When the received key does not start with stkpk_api, the error message includes the full received value:

Err(format!("Invalid API key format received: {}", clean_key))

This means:

1. If a real API key is somehow received in a slightly malformed way (e.g., extra prefix), it gets logged in plaintext
2. If logging is configured at WARN level or below, the key appears in log files, systemd journal, or monitoring systems
3. The key could appear in crash reports or error tracking systems

Expected Behavior

The error message should redact the sensitive value:

- Err(format!("Invalid API key format received: {}", clean_key))
+ Err(format!(
+     "Invalid API key format: received {} chars, expected prefix \"stkpk_api\"",
+     clean_key.len()
+ ))

Or if some prefix info is needed for debugging:

Err(format!(
    "Invalid API key format: key starts with \"{}\"",
    &clean_key[..clean_key.len().min(8)]
))

Impact

• Severity: Medium
• Affected users: Anyone using ACP agent auth via browser redirect (authenticate_with_browser_redirect)
• Risk: Credential exposure in logs, monitoring, or error tracking systems

Environment

• Affects all versions with the browser redirect auth flow

Positively — happy to submit a PR if this is welcome.

[shehab299]

Hi @sulthonzh thank you for pointing out the problem and of course we are encouraging contributions feel free to open the PR anytime

[kajogo777]

@shehab299 this needs a second look, the api key sent is malformed we print it to help the user debug, otherwise we won't how what was wrong with the passed token/key