Tech Story
As a platform engineer, I want debug code and accidental secret exposure removed from the codebase so that production logs, API docs, and source code do not leak sensitive information or expose unnecessary attack surface.
Context
Three specific issues found in audit:
GET /auth/test — A debug endpoint that runs a bcrypt demo with a hardcoded password and console.logs the result. Publicly accessible, no auth required.- Password reset token in logs —
requestPasswordReset() logs the raw reset token and full reset URL to the application log. In any log aggregation system, this token is now accessible to anyone with log access — not just DB access.
- Swagger UI in production —
/api/docs is unconditionally mounted with persistAuthorization: true, publicly documenting all endpoints and persisting credentials in the browser.
Acceptance Criteria
Technical Elaboration
- In
auth.controller.ts: delete the @Get('test') method and the bcrypt import
- In
auth.service.ts requestPasswordReset(): replace the two this.logger.log() calls that include the token/URL with a single neutral log: this.logger.log(Password reset requested for user ID: ${user.id})
- In
main.ts: wrap the entire Swagger DocumentBuilder / SwaggerModule.setup block with if (process.env.NODE_ENV !== 'production') { ... }
Notes
- The password reset email flow itself (
TODO: Send email) is out of scope for this issue — just remove the log exposure
- After this change, developers testing password reset locally will need to query the DB directly for the token until the email service is implemented
Tech Story
As a platform engineer, I want debug code and accidental secret exposure removed from the codebase so that production logs, API docs, and source code do not leak sensitive information or expose unnecessary attack surface.
Context
Three specific issues found in audit:
GET /auth/test— A debug endpoint that runs a bcrypt demo with a hardcoded password andconsole.logs the result. Publicly accessible, no auth required.requestPasswordReset()logs the raw reset token and full reset URL to the application log. In any log aggregation system, this token is now accessible to anyone with log access — not just DB access./api/docsis unconditionally mounted withpersistAuthorization: true, publicly documenting all endpoints and persisting credentials in the browser.Acceptance Criteria
GET /auth/testendpoint and itsbcryptimport removed fromAuthControllerNODE_ENV !== 'production'persistAuthorization: trueremoved from Swagger options (credentials should not persist in the browser)console.logcalls remain inAuthControllerorAuthServiceTechnical Elaboration
auth.controller.ts: delete the@Get('test')method and thebcryptimportauth.service.tsrequestPasswordReset(): replace the twothis.logger.log()calls that include the token/URL with a single neutral log:this.logger.log(Password reset requested for user ID: ${user.id})main.ts: wrap the entire SwaggerDocumentBuilder/SwaggerModule.setupblock withif (process.env.NODE_ENV !== 'production') { ... }Notes
TODO: Send email) is out of scope for this issue — just remove the log exposure