Add token redaction to Identity serialization

jhrozek · jhrozek · commit 2a2c08dbed5c · 2025-10-31T10:09:12.000Z
Implement String() and MarshalJSON() methods on the Identity struct to
prevent accidental token leakage when logging or serializing identities.
diff --git a/pkg/vmcp/auth/auth.go b/pkg/vmcp/auth/auth.go
@@ -14,6 +14,8 @@ package auth
 
 import (
 	"context"
+	"encoding/json"
+	"fmt"
 	"net/http"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -98,6 +100,58 @@ type Identity struct {
 	Metadata map[string]string
 }
 
+// String returns a string representation of the Identity with sensitive fields redacted.
+// This prevents accidental token leakage when the Identity is logged or printed.
+func (i *Identity) String() string {
+	if i == nil {
+		return "<nil>"
+	}
+
+	token := "REDACTED"
+	if i.Token == "" {
+		token = "<empty>"
+	}
+
+	return fmt.Sprintf("Identity{Subject:%q, Name:%q, Email:%q, Groups:%v, Token:%s, TokenType:%q}",
+		i.Subject, i.Name, i.Email, i.Groups, token, i.TokenType)
+}
+
+// MarshalJSON implements json.Marshaler to redact sensitive fields during JSON serialization.
+// This prevents accidental token leakage in structured logs, API responses, or audit logs.
+func (i *Identity) MarshalJSON() ([]byte, error) {
+	if i == nil {
+		return []byte("null"), nil
+	}
+
+	// Create a safe representation with lowercase field names and redacted token
+	type SafeIdentity struct {
+		Subject   string            `json:"subject"`
+		Name      string            `json:"name"`
+		Email     string            `json:"email"`
+		Groups    []string          `json:"groups"`
+		Claims    map[string]any    `json:"claims"`
+		Token     string            `json:"token"`
+		TokenType string            `json:"tokenType"`
+		Metadata  map[string]string `json:"metadata"`
+	}
+
+	token := i.Token
+	if token != "" {
+		token = "REDACTED"
+	}
+
+	return json.Marshal(&SafeIdentity{
+		Subject:   i.Subject,
+		Name:      i.Name,
+		Email:     i.Email,
+		Groups:    i.Groups,
+		Claims:    i.Claims,
+		Token:     token,
+		TokenType: i.TokenType,
+		Metadata:  i.Metadata,
+	})
+}
+
 // TokenAuthenticator validates JWT tokens and provides HTTP middleware for authentication.
 // This interface abstracts the token validation functionality from pkg/auth to enable
 // testing with mocks while the concrete *auth.TokenValidator implementation satisfies
diff --git a/pkg/vmcp/auth/auth_test.go b/pkg/vmcp/auth/auth_test.go
@@ -0,0 +1,141 @@
+package auth
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIdentity_String(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		identity    *Identity
+		contains    []string
+		notContains []string
+	}{
+		{
+			name: "redacts_token",
+			identity: &Identity{
+				Subject:   "user@example.com",
+				Name:      "Test User",
+				Email:     "user@example.com",
+				Groups:    []string{"admin", "users"},
+				Token:     "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.sensitive-token-data",
+				TokenType: "Bearer",
+			},
+			contains: []string{
+				"Subject:\"user@example.com\"",
+				"Name:\"Test User\"",
+				"Token:REDACTED",
+				"TokenType:\"Bearer\"",
+			},
+			notContains: []string{
+				"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
+				"sensitive-token-data",
+			},
+		},
+		{
+			name: "shows_empty_token",
+			identity: &Identity{
+				Subject: "user@example.com",
+				Token:   "",
+			},
+			contains:    []string{"Token:<empty>"},
+			notContains: []string{"REDACTED"},
+		},
+		{
+			name:        "handles_nil_identity",
+			identity:    nil,
+			contains:    []string{"<nil>"},
+			notContains: []string{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			result := tc.identity.String()
+
+			for _, expected := range tc.contains {
+				assert.Contains(t, result, expected)
+			}
+
+			for _, forbidden := range tc.notContains {
+				assert.NotContains(t, result, forbidden)
+			}
+		})
+	}
+}
+
+func TestIdentity_MarshalJSON(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name        string
+		identity    *Identity
+		contains    []string
+		notContains []string
+	}{
+		{
+			name: "redacts_token",
+			identity: &Identity{
+				Subject:   "user@example.com",
+				Name:      "Test User",
+				Email:     "user@example.com",
+				Groups:    []string{"admin", "users"},
+				Token:     "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.sensitive-token-data",
+				TokenType: "Bearer",
+			},
+			contains: []string{
+				`"subject":"user@example.com"`,
+				`"name":"Test User"`,
+				`"email":"user@example.com"`,
+				`"token":"REDACTED"`,
+				`"tokenType":"Bearer"`,
+			},
+			notContains: []string{
+				"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
+				"sensitive-token-data",
+			},
+		},
+		{
+			name: "preserves_empty_token",
+			identity: &Identity{
+				Subject: "user@example.com",
+				Token:   "",
+			},
+			contains:    []string{`"subject":"user@example.com"`},
+			notContains: []string{`"token":"REDACTED"`},
+		},
+		{
+			name:        "handles_nil_identity",
+			identity:    nil,
+			contains:    []string{"null"},
+			notContains: []string{},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			data, err := json.Marshal(tc.identity)
+			require.NoError(t, err)
+
+			result := string(data)
+
+			for _, expected := range tc.contains {
+				assert.Contains(t, result, expected)
+			}
+
+			for _, forbidden := range tc.notContains {
+				assert.NotContains(t, result, forbidden)
+			}
+		})
+	}
+}
