@@ -131,7 +131,8 @@ public async Task<IActionResult> CompleteLogin(
131131 }
132132 catch ( Exception ex )
133133 {
134- logger . LogWarning ( ex , "Invalid or expired callback token for state {StateCode}" , body . StateCode ) ;
134+ logger . LogWarning ( ex , "Invalid or expired callback token for state {StateCode}" ,
135+ SanitizeForLog ( body . StateCode ) ) ;
135136 return BadRequest ( new { error = "Invalid or expired callback token." } ) ;
136137 }
137138
@@ -158,7 +159,7 @@ public async Task<IActionResult> CompleteLogin(
158159 var existingUser = await userRepository . GetUserByEmailAsync ( normalizedEmail , cancellationToken ) ;
159160 if ( existingUser == null )
160161 {
161- logger . LogWarning ( "Step-up requested but user not found: {Email}" , normalizedEmail ) ;
162+ logger . LogWarning ( "Step-up complete-login: no existing portal user for callback token; sign-in required first." ) ;
162163 return BadRequest ( new { error = "Step-up requires an existing session. Please sign in again." } ) ;
163164 }
164165
@@ -169,11 +170,11 @@ public async Task<IActionResult> CompleteLogin(
169170 user . UpdatedAt = DateTime . UtcNow ;
170171 await userRepository . UpdateUserAsync ( user , cancellationToken ) ;
171172
172- // Message/template differs from earlier builds (email removed for PII); refresh any log alerts that matched the old text.
173+ var safeStateKey = SanitizeForLog ( stateKey ) ;
173174 logger . LogInformation (
174175 "OIDC step-up complete-login succeeded: UserId {UserId}, StateCode {StateCode}, IalLevel {IalLevel}, IdProofingStatus {IdProofingStatus}" ,
175176 user . Id ,
176- stateKey ,
177+ safeStateKey ,
177178 user . IalLevel ,
178179 user . IdProofingStatus ) ;
179180 }
@@ -189,6 +190,18 @@ public async Task<IActionResult> CompleteLogin(
189190 : Ok ( new { token } ) ;
190191 }
191192
193+ /// <summary>
194+ /// Removes newline/control-friendly breaks from values logged from user input.
195+ /// </summary>
196+ private static string SanitizeForLog ( string ? value )
197+ {
198+ if ( string . IsNullOrEmpty ( value ) )
199+ return string . Empty ;
200+ return value
201+ . Replace ( "\r " , string . Empty , StringComparison . Ordinal )
202+ . Replace ( "\n " , string . Empty , StringComparison . Ordinal ) ;
203+ }
204+
192205 /// <summary>
193206 /// Gets the email from the callback token claims.
194207 /// </summary>
0 commit comments