Expand description
Sanitisation helpers for log lines, audit summaries, and error messages.
Doctrine 11: never log secrets. Recovery flows route every secret- adjacent string through one of these helpers before it reaches the audit trail or any log target. The functions return either a fixed placeholder string (for genuinely opaque secrets like passwords and MFA secrets) or a short fingerprint (for tokens that benefit from being correlatable in support traffic without leaking the full value).
Adopted by:
audit::recordsummary text generation- the upcoming
Mailerdebug logging path - any handler that needs to format a status string mentioning a token or password
If you find yourself wanting to log a secret directly, ask whether the log line is more useful than the risk of disclosure. In every case the framework has shipped so far, the answer is no.
Functions§
- redact_
backup_ code - Replace a backup code with a fixed placeholder. Codes are short-lived single-use; like passwords, the right log line is “redacted” with no fingerprint.
- redact_
mfa_ secret - Replace an MFA secret with a fixed placeholder. MFA secrets are always stored encrypted at rest; this helper exists so a stray log statement during development can’t accidentally write the plaintext.
- redact_
password - Replace any password-like value with a fixed placeholder. Use this in summary strings and error messages — never the real password, not even truncated.
- redact_
token - Render a short, privacy-preserving fingerprint of a token. The
returned string includes the first 8 chars of
sha256(token)— just enough for an operator to correlate two log lines about the same token without disclosing it. Never reverses to the original.