fix(auth): avoid printing OAuth status details

Keep auth status output from echoing provider-sourced values so CodeQL does not flag token-derived metadata as clear-text sensitive logging.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Austin Pickett
2026-05-12 00:31:36 -04:00
parent 2e12a5178a
commit b91d91e68d
2 changed files with 9 additions and 10 deletions
+8 -9
View File
@@ -479,18 +479,17 @@ def auth_status_command(args) -> None:
raise SystemExit("Provider is required. Example: `hermes auth status spotify`.")
status = auth_mod.get_auth_status(provider)
if not status.get("logged_in"):
reason = status.get("error")
if reason:
print(f"{provider}: logged out ({reason})")
else:
print(f"{provider}: logged out")
# Avoid echoing provider error strings here. OAuth libraries and
# provider responses can include token-like fields in exception text,
# and this command may be copied into bug reports.
print(f"{provider}: logged out")
return
print(f"{provider}: logged in")
for key in ("auth_type", "client_id", "redirect_uri", "scope", "expires_at", "api_base_url"):
value = status.get(key)
if value:
print(f" {key}: {value}")
if status.get("expires_at") or status.get("expires_at_ms"):
print(" token: present (expiry available)")
if status.get("has_refresh_token"):
print(" refresh_token: present")
def auth_logout_command(args) -> None:
+1 -1
View File
@@ -85,7 +85,7 @@ def test_auth_spotify_status_command_reports_logged_in(capsys, monkeypatch: pyte
auth_status_command(SimpleNamespace(provider="spotify"))
output = capsys.readouterr().out
assert "spotify: logged in" in output
assert "client_id: spotify-client" in output
assert "spotify-client" not in output
def test_spotify_logout_does_not_reset_model_provider(