Redact token values from debug logs

[aleksandar-apostolov]

Goal

Prevent JWT tokens from leaking into LogCat, crash reports, and monitoring systems.

Implementation

• ConnectUserData.toString() — custom override that prints <redacted> instead of the raw token
• StreamToken.toString() — returns StreamToken(<redacted>) instead of the raw value
• StreamSocketSession auth request log — prints byte count instead of the serialized JSON payload containing the token

Testing

Existing tests pass. Token redaction is structural (toString override) — no runtime behavior change.

Summary by CodeRabbit

• Security Improvements
  • Authentication tokens and sensitive credentials are now redacted in application logs and string representations to prevent accidental data exposure.
  • Verbose logging during authentication now displays payload size instead of full serialized content, further protecting sensitive information.

[github-actions]

PR checklist ✅

All required conditions are satisfied:

• Title length is OK (or ignored by label).
• At least one pr: label exists.
• Sections ### Goal, ### Implementation, and ### Testing are filled.

🎉 Great job! This PR is ready for review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7ea4774d-e2a8-4a59-8c04-67499c89cd5e

📥 Commits

Reviewing files that changed from the base of the PR and between 1a0a3cd and baf9805.

📒 Files selected for processing (3)

• stream-android-core/src/main/java/io/getstream/android/core/api/model/value/StreamToken.kt
• stream-android-core/src/main/java/io/getstream/android/core/internal/socket/StreamSocketSession.kt
• stream-android-core/src/main/java/io/getstream/android/core/internal/socket/model/ConnectUserData.kt

---

Walkthrough

The changes implement security enhancements by redacting sensitive token information across three files. StreamToken now overrides toString() to return a masked value, ConnectUserData implements a custom toString() that redacts the token field, and socket authentication logging was modified to log only payload size instead of full serialized content.

Changes

Cohort / File(s)	Summary
Token Redaction stream-android-core/src/main/java/io/getstream/android/core/api/model/value/StreamToken.kt, stream-android-core/src/main/java/io/getstream/android/core/internal/socket/model/ConnectUserData.kt	Added toString() overrides to both classes that replace token values with <redacted> placeholder, preventing sensitive data exposure in string representations.
Auth Logging Privacy stream-android-core/src/main/java/io/getstream/android/core/internal/socket/StreamSocketSession.kt	Modified verbose socket authentication log to output payload size in bytes (${it.length} bytes) instead of full serialized request content.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 Tokens hidden, safe from sight,
Redacted strings shine ever bright,
No secrets logged in plain display,
Security hops the safe way! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the primary change: adding token redaction to debug logs for security.
Description check	✅ Passed	The description includes all required sections (Goal, Implementation, Testing, Checklist) and provides concrete details about the changes made.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/token-log-redaction

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
50.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[stream-public-bot]

🚀 Available in v3.0.1