Oliver/video-accessibility
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: remove exception detail from /auth/refresh response (C-03)

Browse source 
Replaced the bare except that leaked str(e) (JWT library internals,
claim validation messages) with a generic "Invalid refresh token" detail.
Full traceback is now logged server-side via the structured logger.
Re-raises HTTPException before the generic handler so valid 401s from
inner checks are not double-wrapped.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Vadym Samoilenko 2026-04-29 14:11:59 +01:00
parent 70f6c6befb
commit e81acebc45
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
backend/app/api/v1/routes_auth.py
View file

@ -312,13 +312,17 @@ async def refresh_token(
full_name=user.full_name
)
except HTTPException:
raise
except Exception as e:
print(f"🚨 REFRESH ERROR: Exception during refresh: {type(e).__name__}: {e}")
import traceback
print(f"Traceback:\n{traceback.format_exc()}")
from ...core.logging import get_logger
get_logger(__name__).exception(
"Refresh token error: %s\n%s", type(e).__name__, traceback.format_exc()
)
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=f"Invalid refresh token: {str(e)}",
detail="Invalid refresh token",
)