From a0aa19d9813c7f38e2681479c10254a6c19e89d3 Mon Sep 17 00:00:00 2001
From: Piers <piers@groupthink.asia>
Date: Thu, 2 Apr 2026 23:51:07 +1100
Subject: [PATCH] server: redact client secret from authentication error
 messages

The allowRelyingParty function included the plaintext client secret
in the error message on authentication failure. This leaks credentials
into server logs, which may be aggregated into centralised logging
systems.

Replace the secret with only the client ID, which is sufficient for
debugging authentication failures.

Signed-off-by: Piers Dawson-Damer <piers@groupthink.asia>
---
 server/token.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/token.go b/server/token.go
index ea1516f55..762a98616 100644
--- a/server/token.go
+++ b/server/token.go
@@ -920,7 +920,7 @@ func (ar *AuthRequest) allowRelyingParty(r *http.Request) (int, error) {
 		return http.StatusBadRequest, fmt.Errorf("tsidp: client_id mismatch")
 	}
 	if clientSecretcmp != 1 {
-		return http.StatusUnauthorized, fmt.Errorf("tsidp: invalid client secret: [%s] [%s]", clientID, clientSecret)
+		return http.StatusUnauthorized, fmt.Errorf("tsidp: invalid client secret for client %q", clientID)
 	}
 	return http.StatusOK, nil
 }