Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| // Log Relaycast workspace key so users can view messages at relaycast.dev | ||
| const startupConfig = resolveRelaycastConfig(); | ||
| if (startupConfig?.apiKey) { | ||
| console.log(`[dashboard] Relaycast workspace key: ${startupConfig.apiKey}`); |
There was a problem hiding this comment.
🔴 Workspace API key logged in plaintext to stdout
The new code logs the Relaycast workspace API key (apiKey) in plaintext to stdout at server startup (proxy-server.ts:388) and when bootstrapping from the broker (proxy-server.ts:576). The previous code at the bootstrap site only logged a generic message ('[dashboard] Relaycast workspace key bootstrapped from broker') without revealing the key value. The apiKey is a secret credential used as a Bearer token for API authentication (see packages/dashboard-server/src/relaycast-provider-helpers.ts:251 — 'Authorization': \Bearer ${config.apiKey}``). Logging it to stdout means it will appear in log aggregation systems (CloudWatch, Datadog, etc.), CI output, and process manager logs, exposing the credential to anyone with log access.
Prompt for agents
In packages/dashboard-server/src/proxy-server.ts, there are two locations that log the API key in plaintext:
1. Line 388: console.log(`[dashboard] Relaycast workspace key: ${startupConfig.apiKey}`);
2. Line 576: console.log(`[dashboard] Relaycast workspace key: ${key}`);
Replace the plaintext key with a masked version (e.g., showing only the last 4 characters) to avoid leaking credentials in logs. For example:
const masked = key.length > 4 ? '***' + key.slice(-4) : '****';
console.log(`[dashboard] Relaycast workspace key: ${masked}`);
Apply this change at both line 388 (using startupConfig.apiKey) and line 576 (using key).
Was this helpful? React with 👍 or 👎 to provide feedback.
| if (key) { | ||
| setRelayApiKey(key); | ||
| console.log('[dashboard] Relaycast workspace key bootstrapped from broker'); | ||
| console.log(`[dashboard] Relaycast workspace key: ${key}`); |
There was a problem hiding this comment.
🔴 Workspace API key logged in plaintext during broker bootstrap
Same issue as at startup: the bootstrapped workspace key is logged in plaintext at proxy-server.ts:576. The old code at this location logged '[dashboard] Relaycast workspace key bootstrapped from broker' without the key value. The new code exposes the full credential in logs via console.log(\[dashboard] Relaycast workspace key: ${key}`)`.
| console.log(`[dashboard] Relaycast workspace key: ${key}`); | |
| console.log(`[dashboard] Relaycast workspace key: ${key.length > 4 ? '***' + key.slice(-4) : '****'}`); |
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Uh oh!
There was an error while loading. Please reload this page.