From a884a5724c0f4f2f4f6b315f7495eb08622f3d7b Mon Sep 17 00:00:00 2001 From: Miquel Gall Date: Mon, 6 Oct 2025 14:10:21 -0400 Subject: [PATCH 1/4] Remove sensitive credential data from debug logs Sanitize debug logs to prevent accidental exposure of tokens and credentials by removing JSON.stringify calls that were logging OFSCredentials and callProcedureData objects. --- src/main.ts | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/src/main.ts b/src/main.ts index ac0ca14..ec769cc 100644 --- a/src/main.ts +++ b/src/main.ts @@ -197,11 +197,7 @@ export abstract class OFSPlugin { }, }; console.debug( - `${ - this.tag - }. I will request the Token forthe application ${applicationKey} with this message ${JSON.stringify( - callProcedureData - )}` + `${this.tag}. Requesting token for application ${applicationKey}` ); this.callProcedure(callProcedureData); globalThis.waitForProxy = true; @@ -389,11 +385,7 @@ export abstract class OFSPlugin { token: parsed_message.resultData.token, }; console.debug( - `${ - this.tag - }. I will create the proxy with this data ${JSON.stringify( - OFSCredentials - )}` + `${this.tag}. Creating proxy with provided credentials` ); this._proxy = new OFS(OFSCredentials); globalThis.waitForProxy = false; From fdafcbd3554fa8ca709b6e3a233774559d0a9bef Mon Sep 17 00:00:00 2001 From: Miquel Gall Date: Mon, 6 Oct 2025 14:10:43 -0400 Subject: [PATCH 2/4] 1.5.1 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index dedd040..7f5f518 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@ofs-users/plugin", - "version": "1.5.0", + "version": "1.5.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@ofs-users/plugin", - "version": "1.5.0", + "version": "1.5.1", "license": "UPL-1.0", "dependencies": { "@ofs-users/proxy": "^1.9.0" diff --git a/package.json b/package.json index c82a8c9..a06952b 100644 --- a/package.json +++ b/package.json @@ -5,7 +5,7 @@ ], "name": "@ofs-users/plugin", "type": "module", - "version": "1.5.0", + "version": "1.5.1", "description": "Oracle Field Service plugin base code", "main": "dist/ofs-plugin.es.js", "module": "dist/ofs-plugin.es.js", From 2a9a2f1960f603716ac1e3f9663932f759187ba2 Mon Sep 17 00:00:00 2001 From: Miquel Gall Date: Mon, 6 Oct 2025 14:23:28 -0400 Subject: [PATCH 3/4] Sanitize message logging to prevent token exposure Move message logging from generic handler to specific message type handlers to prevent logging sensitive data like tokens from callProcedureResult responses. This ensures getAccessToken responses are never logged with their token data. Changes: - Modified _getWebMessage to log only message method, not full data - Added specific debug logging in each message handler (init, open, updateResult, callProcedureResult, wakeup, error) - callProcedureResult handler logs only callId, not response data - Removed JSON.stringify from token response error log to avoid exposing token --- src/main.ts | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/main.ts b/src/main.ts index ec769cc..4b2f343 100644 --- a/src/main.ts +++ b/src/main.ts @@ -100,17 +100,19 @@ export abstract class OFSPlugin { * @returns */ private async _getWebMessage(message: MessageEvent): Promise { - console.log(`${this._tag}: Message received:`, message.data); - console.log(`${this._tag}: Coming from ${message.origin}`); // Validate that it is a valid OFS message var parsed_message = OFSMessage.parse(message.data); + console.log(`${this._tag}: Message received - method: ${parsed_message.method}`); + console.log(`${this._tag}: Coming from ${message.origin}`); switch (parsed_message.method) { case "init": + console.debug(`${this._tag}: Processing init message`); this._storeInitData(parsed_message as OFSInitMessage); this._init(parsed_message); break; case "open": + console.debug(`${this._tag}: Processing open message`); globalThis.waitForProxy = false; this._createProxy(parsed_message); var iteration: number = 0; @@ -131,17 +133,21 @@ export abstract class OFSPlugin { this.open(parsed_message as OFSOpenMessage); break; case "updateResult": + console.debug(`${this._tag}: Processing updateResult message`); this.updateResult(parsed_message); break; case "callProcedureResult": + console.debug(`${this._tag}: Processing callProcedureResult - callId: ${(parsed_message as OFSCallProcedureResultMessage).callId}`); this._callProcedureResult( parsed_message as OFSCallProcedureResultMessage ); break; case "wakeup": + console.debug(`${this._tag}: Processing wakeup message`); this.wakeup(parsed_message); break; case "error": + console.debug(`${this._tag}: Processing error message`); this.error(parsed_message); break; case "no method": @@ -393,11 +399,7 @@ export abstract class OFSPlugin { } } else { console.error( - `${ - this.tag - }. Problems processing the Token Response ${JSON.stringify( - parsed_message - )}` + `${this.tag}. Problems processing the Token Response - missing resultData` ); } } else { From a0d5c578c0d4821c33985d295a71785c6832b724 Mon Sep 17 00:00:00 2001 From: Miquel Gall Date: Mon, 6 Oct 2025 14:23:29 -0400 Subject: [PATCH 4/4] 1.5.2 --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7f5f518..ae57358 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@ofs-users/plugin", - "version": "1.5.1", + "version": "1.5.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@ofs-users/plugin", - "version": "1.5.1", + "version": "1.5.2", "license": "UPL-1.0", "dependencies": { "@ofs-users/proxy": "^1.9.0" diff --git a/package.json b/package.json index a06952b..2a50cdf 100644 --- a/package.json +++ b/package.json @@ -5,7 +5,7 @@ ], "name": "@ofs-users/plugin", "type": "module", - "version": "1.5.1", + "version": "1.5.2", "description": "Oracle Field Service plugin base code", "main": "dist/ofs-plugin.es.js", "module": "dist/ofs-plugin.es.js",