Skip to content

Commit fda1670

Browse files
committed
fix(m2m): keep ClientSecret out of json.Marshal via json:"-"
Prevents accidental exposure through structured logging, webhook payloads, or error dumps. Matches the existing User.Password convention.
1 parent ae4a85c commit fda1670

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

internal/storage/schemas/service_account.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,9 @@ type ServiceAccount struct {
2828

2929
// ClientSecret holds the bcrypt hash of the credential.
3030
// Never expose this value in API responses.
31-
ClientSecret string `json:"client_secret" bson:"client_secret" cql:"client_secret" dynamo:"client_secret"`
31+
// json:"-" keeps it out of any json.Marshal of this struct (structured
32+
// logging, webhook payloads, error dumps), matching User.Password.
33+
ClientSecret string `json:"-" bson:"client_secret" cql:"client_secret" dynamo:"client_secret"`
3234

3335
// AllowedScopes is a comma-separated list of OAuth2 scopes this service
3436
// account may request. Scopes in a client_credentials request MUST be a

0 commit comments

Comments
 (0)