Redact auth token secrets from debug logs

[puneetdixit200]

Summary

• Redact sign-in token debug logs so they keep account/expiry context without logging token UUIDs or verification codes.
• Redact sign-up token debug logs so they keep expiry/invited metadata without logging email addresses, inviter IDs, token UUIDs, or verification codes.
• Add LogTape capture tests that exercise the real token creation paths and assert replay secrets are absent from debug log properties.

Fixes #245

AI assistance

This pull request and commit were prepared with OpenAI GPT-5.5. I reviewed the issue, policy, code paths, tests, and validation output before submitting.

Validation

• RED: docker run --rm -u "$(id -u):$(id -g)" -e DENO_DIR=/workspace/.deno_cache -e DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/hackerspub_test -v "$PWD":/workspace -w /workspace denoland/deno:2.7.13 deno test --allow-all --filter "token debug log omits" models/signin.test.ts models/signup.test.ts failed before the fix because the expected redacted log records were absent.
• GREEN: same focused debug-log test command passed after the fix.
• docker run --rm -u "$(id -u):$(id -g)" -e DENO_DIR=/workspace/.deno_cache -e DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/hackerspub_test -v "$PWD":/workspace -w /workspace denoland/deno:2.7.13 deno test --allow-all --filter "token" models/signin.test.ts models/signup.test.ts passed: 4 passed, 0 failed, 1 filtered.
• docker run --rm -u "$(id -u):$(id -g)" -e DENO_DIR=/workspace/.deno_cache -v "$PWD":/workspace -w /workspace denoland/deno:2.7.13 deno fmt --check models/signin.ts models/signin.test.ts models/signup.ts models/signup.test.ts passed.
• docker run --rm -u "$(id -u):$(id -g)" -e DENO_DIR=/workspace/.deno_cache -e DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/hackerspub_test -v "$PWD":/workspace -w /workspace denoland/deno:2.7.13 deno lint models/signin.ts models/signin.test.ts models/signup.ts models/signup.test.ts passed.
• docker run --rm -u "$(id -u):$(id -g)" -e DENO_DIR=/workspace/.deno_cache -v "$PWD":/workspace -w /workspace denoland/deno:2.7.13 deno check models/signin.test.ts models/signup.test.ts passed.
• git diff --check -- models/signin.ts models/signin.test.ts models/signup.ts models/signup.test.ts passed.

[coderabbitai]

📝 Walkthrough

Walkthrough

Sign-in and sign-up token creation debug logs are updated to omit sensitive token UUIDs and verification codes, logging only non-sensitive metadata like accountId and expiration. Tests verify that sensitive properties are excluded from captured log records.

Changes

Token Logging Security Hardening

Layer / File(s)	Summary
Sign-in token logging sanitization models/signin.ts, models/signin.test.ts	Debug log in createSigninToken changed to record only accountId and expires instead of the full token object. New test configures log capture, verifies the log message exists, and asserts that token and code are omitted from logged properties.
Sign-up token logging sanitization models/signup.ts, models/signup.test.ts	Debug log in createSignupToken changed to record only expiration and invited boolean instead of the full token object. New test configures log capture, verifies the log message exists, and asserts that email, inviterId, token, and code are omitted from logged properties.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title "Redact auth token secrets from debug logs" clearly and concisely summarizes the main objective of the changeset: removing sensitive authentication token information from debug logging.
Linked Issues check	✅ Passed	The PR fully addresses issue #245 requirements: signin logs now include only accountId and expiry (omitting token UUID and code), signup logs include only expiry and invited metadata (omitting email, inviter ID, token UUID, and code), and LogTape tests verify sensitive fields are absent.
Out of Scope Changes check	✅ Passed	All changes are directly in scope: modifications to signin/signup logging and corresponding tests to verify redaction of sensitive fields per issue #245 requirements.
Description check	✅ Passed	The pull request description clearly outlines the changes to redact sensitive auth token data from debug logs in signin/signup models, with specific details on what is being removed and retained, plus comprehensive validation results.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the sign-in and sign-up token creation logic to prevent sensitive data, such as tokens and codes, from being logged in debug statements. It also adds comprehensive test cases to verify that these secrets are omitted from the logs. Two review comments were provided regarding the alphabetical ordering of external imports in the test files to comply with the repository style guide.