Skip to content

Fix device auth debug output redaction#7489

Open
afurm wants to merge 1 commit intoShopify:mainfrom
afurm:af/redact-device-auth-debug
Open

Fix device auth debug output redaction#7489
afurm wants to merge 1 commit intoShopify:mainfrom
afurm:af/redact-device-auth-debug

Conversation

@afurm
Copy link
Copy Markdown
Contributor

@afurm afurm commented May 7, 2026

WHY are these changes introduced?

Verbose device authorization logging currently writes the raw authorization response. That response can include temporary auth values such as device_code, user_code, and verification_uri_complete, which can leak when users share --verbose logs.

WHAT is this pull request doing?

Redacts sensitive device authorization fields before writing the response to debug output.

Adds a focused cli-kit unit test that verifies the debug log does not contain the raw temporary auth values.

Adds a patch changeset for @shopify/cli-kit.

How to test your changes?

pnpm vitest run packages/cli-kit/src/private/node/session/device-authorization.test.ts
pnpm nx run cli-kit:type-check
pnpm nx run cli-kit:lint
git diff --check

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch for bug fixes · minor for new features · major for breaking changes) and added a changeset with pnpm changeset add

@afurm afurm requested review from a team as code owners May 7, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@afurm