The resolver context includes the authorization header

[sashee]

The ctx.request.headers.authorization contains the exact authorization header that the client sent in the request.

This is a very sensitive information as that allows anybody who can read it to send requests impersonating the user with that token. And since it's included in the context, it's very easy to accidentally log them:

• A simple console.log leaks it:

export function request(ctx) {
  console.log(ctx)
  // ...
}

• Passing it to a Lambda, either via the payload or with a direct lambda resolver and then log the event (very common for debugging):

module.exports.handler = async (event) => {
  console.log(event)
  // ...
};

I think since the context already contains the identity with all important information about the caller, the authorization header should be removed or at least truncated.

Interestingly, AppSync resolver logging omits this:

And at the end of the request, it is truncated:

[onlybakam]

That's correct, when AppSync logs the context object, sensitive information is removed from the log message. However, we do not edit/redact any information that is logged via console.log functions. The identity data and header data is made available in the context to allow developers to take specific action based on the values