Redact script-token bearer secret from read paths (BUG-285640)#1948
Open
yongwen wants to merge 1 commit into
Open
Redact script-token bearer secret from read paths (BUG-285640)#1948yongwen wants to merge 1 commit into
yongwen wants to merge 1 commit into
Conversation
github-actions
Bot
added
deploy-service
Previously, every script-token read path returned the raw bearer
secret as part of `TokenRolesBean`. Anyone with the legacy READ role
on an environment could enumerate all tokens via
`GET /v1/envs/{env}/token_roles` and impersonate the script principal,
which effectively allowed privilege escalation since some tokens carry
ADMIN role.
Defense-in-depth changes:
Backend (deploy-service)
- `TokenRolesBean.token` is now `@JsonProperty(access = WRITE_ONLY)` so
it is never serialized into HTTP responses. `toString()` excludes the
field to keep logs and exception traces clean.
- `DBTokenRolesDAOImpl` selects a `SAFE_COLUMNS` list (no `token`) for
`getByResource` / `getByNameAndResource`. The authentication lookup
`getByToken` still does `SELECT *` because the bearer comparison
needs the column.
- `TokenRoles.create()` now returns a new `CreatedTokenRolesResponse`
DTO that includes the raw token. This is the *only* response shape
that contains the secret, and it is disclosed exactly once on the
`201 Created` reply to the caller.
- New role `MANAGE_SCRIPT_TOKEN` (privilege level 15) added between
OPERATOR and ADMIN. All `EnvTokenRoles` and `SystemTokenRoles`
endpoints (read AND mutate) now require this role instead of
READ/WRITE/DELETE. In Pastis, only `admin` and `envOwner` are granted
it; `legacyOperator`, `envMember`, `deployer`, and `reader` no
longer see token metadata.
- Tests cover token redaction at both DAO and bean levels.
Frontend (deploy-board)
- Removed the now-broken `Show Token` button and its
`get_user_token` view/URL; the backend no longer exposes the value.
- `update_users_config` captures the one-time token from each
`POST /token_roles` response and returns them to the browser.
- New non-dismissible modal displays freshly minted tokens once with
per-row copy-to-clipboard; values are scrubbed from the DOM on
acknowledgement. Deprecation banner updated to make the one-shot
disclosure model explicit.
Docs
- Added `MANAGE_SCRIPT_TOKEN` to the Teletraan auth action enum so
external authorizers (Pastis) accept it.
Co-authored-by: Cursor <cursoragent@cursor.com>
yongwen
force-pushed
the
bug-285640-redact-script-token-disclosure
branch
from
74f99bd to
9ed9d58
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, every script-token read path returned the raw bearer secret as part of
TokenRolesBean. Anyone with the legacy READ role on an environment could enumerate all tokens viaGET /v1/envs/{env}/token_rolesand impersonate the script principal, which effectively allowed privilege escalation since some tokens carry ADMIN role.Defense-in-depth changes:
Backend (deploy-service)
✅ Rec #1 — Redact token on read operations
TokenRolesBean.tokenis now@JsonProperty(access = WRITE_ONLY)so it is never serialized into HTTP responses.toString()excludes the field to keep logs and exception traces clean.✅ Rec #2 — Elevate @RolesAllowed on GET endpoints
MANAGE_SCRIPT_TOKEN(privilege level 15) added between OPERATOR and ADMIN. AllEnvTokenRolesandSystemTokenRolesendpoints (read AND mutate) now require this role instead of READ/WRITE/DELETE. In Pastis, onlyadminandenvOwnerare granted it;legacyOperator,envMember,deployer, andreaderno longer see token metadata.✅ Rec #3 — Stop using SELECT * for token queries
DBTokenRolesDAOImplselects aSAFE_COLUMNSlist (notoken) forgetByResource/getByNameAndResource. The authentication lookupgetByTokenstill doesSELECT *because the bearer comparison needs the column.✅ Rec #4 — Audit the creation response
TokenRoles.create()now returns a newCreatedTokenRolesResponseDTO that includes the raw token. This is the only response shape that contains the secret, and it is disclosed exactly once on the201 Createdreply to the caller.Test:
Frontend (deploy-board)
Show Tokenbutton and itsget_user_tokenview/URL; the backend no longer exposes the value.update_users_configcaptures the one-time token from eachPOST /token_rolesresponse and returns them to the browser.Docs
MANAGE_SCRIPT_TOKENto the Teletraan auth action enum so external authorizers (Pastis) accept it.