From baf980503bc5b6b0522276b8363e8c83e0711578 Mon Sep 17 00:00:00 2001
From: Aleksandar Apostolov <apostolov.alexandar@gmail.com>
Date: Wed, 25 Mar 2026 15:09:20 +0100
Subject: [PATCH] fix(security): redact token values from debug logs

ConnectUserData.toString() now prints <redacted> instead of the raw JWT.
StreamToken.toString() returns StreamToken(<redacted>) instead of the
raw value. Auth request log in SocketSession now prints byte count
instead of the serialized payload.

Prevents JWT tokens from appearing in LogCat, crash reports, or
monitoring systems.
---
 .../io/getstream/android/core/api/model/value/StreamToken.kt | 2 ++
 .../android/core/internal/socket/StreamSocketSession.kt      | 4 +++-
 .../android/core/internal/socket/model/ConnectUserData.kt    | 5 ++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/stream-android-core/src/main/java/io/getstream/android/core/api/model/value/StreamToken.kt b/stream-android-core/src/main/java/io/getstream/android/core/api/model/value/StreamToken.kt
index e1f3299..fe1a4a8 100644
--- a/stream-android-core/src/main/java/io/getstream/android/core/api/model/value/StreamToken.kt
+++ b/stream-android-core/src/main/java/io/getstream/android/core/api/model/value/StreamToken.kt
@@ -26,6 +26,8 @@ import io.getstream.android.core.annotations.StreamPublishedApi
 @StreamPublishedApi
 @JvmInline
 public value class StreamToken private constructor(public val rawValue: String) {
+    override fun toString(): String = "StreamToken(<redacted>)"
+
     public companion object {
         /**
          * Creates a new [StreamToken] from a string.
diff --git a/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/StreamSocketSession.kt b/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/StreamSocketSession.kt
index 611bb15..1b521e4 100644
--- a/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/StreamSocketSession.kt
+++ b/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/StreamSocketSession.kt
@@ -345,7 +345,9 @@ internal class StreamSocketSession<T>(
                             eventParser
                                 .serialize(StreamCompositeSerializationEvent.internal(authRequest))
                                 .mapCatching {
-                                    logger.v { "[onOpen] Sending auth request: $it" }
+                                    logger.v {
+                                        "[onOpen] Sending auth request (${it.length} bytes)"
+                                    }
                                     internalSocket.send(it)
                                 }
                                 .onFailure {
diff --git a/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/model/ConnectUserData.kt b/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/model/ConnectUserData.kt
index dc85f2e..522e0b7 100644
--- a/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/model/ConnectUserData.kt
+++ b/stream-android-core/src/main/java/io/getstream/android/core/internal/socket/model/ConnectUserData.kt
@@ -35,4 +35,7 @@ internal data class ConnectUserData(
     val invisible: Boolean = false,
     val language: String? = null,
     val custom: Map<String, Any?>? = null,
-)
+) {
+    override fun toString(): String =
+        "ConnectUserData(userId=$userId, token=<redacted>, name=$name, invisible=$invisible)"
+}