plorenz
commented
1 year ago I'll also drop api session and session tokens, if that makes sense
Closed mguthrie88 closed 1 year ago
plorenz
commented
1 year ago I'll also drop api session and session tokens, if that makes sense
Currently when new identities are created, the entityChange event emits the JWT token. This field should be masked or redacted so it doesn't leak sensitive info where it is not intended to go.
Example Event (some info redacted):
{ "namespace": "entityChange", "eventId": "82383e5e-1adc-4206-b960-35c1730d4f97", "eventType": "created", "timestamp": "2023-08-31T18:44:49.502569449Z", "metadata": { "author": { "type": "identity", "id": "ycSAYCWKA", "name": "Default Admin" }, "source": { "type": "rest", "auth": "edge", "localAddr": "REDACTED", "remoteAddr": "REDACTED", "method": "POST" }, "version": "v0.28.1" }, "entityType": "enrollments", "isParentEvent": false, "initialState": null, "finalState": { "id": "Zl8wegI3KI", "createdAt": "0001-01-01T00:00:00Z", "updatedAt": "0001-01-01T00:00:00Z", "tags": null, "isSystem": false, "token": "REDACTED", "method": "ott", "identityId": "ZfMwegI3K", "transitRouterId": null, "edgeRouterId": null, "expiresAt": "2023-09-02T18:44:49.479606485Z", "issuedAt": "2023-08-31T18:44:49.479607245Z", "caId": null, "username": null, "jwt": "eyJhbGc...REDACTED" } }