fix: prevent OIDC token data leaking to logs, update audit findings

- Redact OIDC token exchange error logs to only include HTTP status - Add additional findings from exhaustive server security scan to AUDIT_FINDINGS.md https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8
2026-03-30 23:36:29 +00:00
parent 643504d89b
commit 63232e56a3
2 changed files with 12 additions and 1 deletions
--- a/server/src/routes/oidc.ts
+++ b/server/src/routes/oidc.ts
@@ -191,7 +191,7 @@ router.get('/callback', async (req: Request, res: Response) => {

    const tokenData = await tokenRes.json() as OidcTokenResponse;
    if (!tokenRes.ok || !tokenData.access_token) {
-      console.error('[OIDC] Token exchange failed:', tokenData);
+      console.error('[OIDC] Token exchange failed: status', tokenRes.status);
      return res.redirect(frontendUrl('/login?oidc_error=token_failed'));
    }