Remove exception log for api token errors

Printing the exception may reveal details about the password.
2025-10-26 08:06:09 +01:00 · 2025-01-17 14:46:17 +01:00
parent 9d2001895e
commit 7b74224a80
2 changed files with 3 additions and 3 deletions
--- a/gradle/changelog/remove_api_token_error_log.yaml
+++ b/gradle/changelog/remove_api_token_error_log.yaml
@@ -0,0 +1,2 @@
+- type: fixed
+  description: Removed the API token error log message that was being printed when the API token was invalid.
--- a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyTokenHandler.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyTokenHandler.java
@@ -64,9 +64,7 @@ class ApiKeyTokenHandler {
      return of(OBJECT_MAPPER.readValue(decoder.decode(token), Token.class));
    } catch (IOException | DecodingException e) {
      LOG.debug("failed to read api token, perhaps it is a jwt token or a normal password");
-      if (LOG.isTraceEnabled()) {
-        LOG.trace("failed to parse token", e);
-      }
+      // do not print the exception here, because it could reveal password details
      return empty();
    }
  }