fix: remove debug logs from authentication and organization switching to enhance security and prevent sensitive information leakage

2026-02-22 20:18:06 +01:00
parent 18d9f59e5d
commit 1947c6a886
5 changed files with 1 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 ### Fixed

 - **Organization context switch.** Switching away from a deleted organization now stores the session correctly instead of using an insecure fallback.
+- **Removed debug logs.** Auth and organization-switching details no longer leak into the browser console in production.

 ## [0.10.0-alpha] - 2026-02-21

--- a/app/actions/auth.ts
+++ b/app/actions/auth.ts
@@ -112,18 +112,13 @@ export async function exchangeAuthCode(code: string, codeVerifier: string, redir

 export async function setSessionAction(accessToken: string, refreshToken?: string) {
    try {
-        console.log('[setSessionAction] Decoding token...')
        if (!accessToken) throw new Error('Access token is missing')
        
        const payloadPart = accessToken.split('.')[1]
        const payload: UserPayload = JSON.parse(Buffer.from(payloadPart, 'base64').toString())
        
-        console.log('[setSessionAction] Token Payload:', { sub: payload.sub, org_id: payload.org_id })
-
        const cookieStore = await cookies()
        const cookieDomain = getCookieDomain()
-        
-        console.log('[setSessionAction] Setting cookies with domain:', cookieDomain)

        cookieStore.set('access_token', accessToken, {
            httpOnly: true,
@@ -146,8 +141,6 @@ export async function setSessionAction(accessToken: string, refreshToken?: strin
            })
        }
        
-        console.log('[setSessionAction] Cookies set successfully')
-
        return {
            success: true,
            user: {
--- a/components/WorkspaceSwitcher.tsx
+++ b/components/WorkspaceSwitcher.tsx
@@ -12,7 +12,6 @@ export default function OrganizationSwitcher({ orgs, activeOrgId }: { orgs: Orga
  const [switching, setSwitching] = useState<string | null>(null)

  const handleSwitch = async (orgId: string | null) => {
-    console.log('Switching to organization:', orgId)
    setSwitching(orgId || 'personal')
    try {
      // * If orgId is null, we can't switch context via API in the same way if strict mode is on
--- a/lib/api/organization.ts
+++ b/lib/api/organization.ts
@@ -47,7 +47,6 @@ export async function getUserOrganizations(): Promise<OrganizationMember[]> {
 // Switch Context (Get token for specific org)
 export async function switchContext(organizationId: string | null): Promise<{ access_token: string; expires_in: number }> {
  const payload = { organization_id: organizationId || '' }
-  console.log('Sending switch context request:', payload)
  return await authFetch<{ access_token: string; expires_in: number }>('/auth/switch-context', {
    method: 'POST',
    body: JSON.stringify(payload),
--- a/lib/auth/context.tsx
+++ b/lib/auth/context.tsx
@@ -159,7 +159,6 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
          // * If user has organizations but no context (org_id), switch to the first one
          if (!user.org_id && organizations.length > 0) {
             const firstOrg = organizations[0]
-             console.log('Auto-switching to organization:', firstOrg.organization_name)
             
             try {
                 const { access_token } = await switchContext(firstOrg.organization_id)