security: prevent Jupyter token exposure in logs

- Add stripTokenFromURL() helper function to remove tokens from URLs - Use it when logging service start URLs - Use it when logging connectivity test URLs - Prevents sensitive tokens from being written to log files
2026-02-18 16:11:50 -05:00 · 2026-02-18 16:11:50 -05:00 · 6446379a40
commit 6446379a40
parent a64233d4f6
2 changed files with 14 additions and 2 deletions
--- a/internal/jupyter/network_manager.go
+++ b/internal/jupyter/network_manager.go
@ -340,7 +340,7 @@ func (nm *NetworkManager) TestConnectivity(_ context.Context, config *NetworkCon
 		}
 	}()

-	nm.logger.Info("connectivity test passed", "url", url)
+	nm.logger.Info("connectivity test passed", "url", stripTokenFromURL(url))
 	return nil
 }

--- a/internal/jupyter/service_manager.go
+++ b/internal/jupyter/service_manager.go
@ -14,6 +14,18 @@ import (
 	"github.com/jfraeys/fetch_ml/internal/logging"
 )

+// stripTokenFromURL removes the token query parameter from a URL for safe logging
+func stripTokenFromURL(url string) string {
+	idx := strings.Index(url, "?token=")
+	if idx == -1 {
+		idx = strings.Index(url, "&token=")
+	}
+	if idx != -1 {
+		return url[:idx]
+	}
+	return url
+}
+
 const (
 	serviceStatusRunning = "running"
 	defaultWorkspaceBase = "/data/active/workspaces"
@ -451,7 +463,7 @@ func (sm *ServiceManager) StartService(
 	sm.logger.Info("jupyter service started",
 		"service_id", serviceID,
 		"name", req.Name,
-		"url", url,
+		"url", stripTokenFromURL(url),
 		"workspace", req.Workspace)

 	return service, nil