fix: redact 2FA code from homebridge-ui server log

[kzaky]

Summary

The homebridge-ui plugin server logs the user's 2FA code in plaintext at packages/homebridge-ring/homebridge-ui/server.ts:62 when exchanging it for a refresh token:

console.log(`Getting token for ${email} with code ${code}`)

Ring's 2FA codes are short-lived (~10 min) and single-use, so the practical risk is bounded — but homebridge logs are frequently pasted into bug reports, GitHub issues, and Discord screenshots. Anyone watching the log in that window could replay the code before it expires.

This PR drops with code ${code} from the log statement. The email is kept so the "we're at the token-exchange step for this user" signal is preserved for debugging.

Changes

• One-line edit in homebridge-ring/homebridge-ui/server.ts
• Changeset added (patch bump on homebridge-ring)

Test plan

• npx turbo run lint test --filter=homebridge-ring --filter=ring-client-api — all 18 tests pass, lint clean
• Manual review: code is still destructured and passed to getAuth(code) on the following line, so the unused-var lint rule isn't triggered and behavior is unchanged

[changeset-bot]

🦋 Changeset detected

Latest commit: 3305c8e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
homebridge-ring	Patch
ring-client-api	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[dgreif]

I agree that we shouldn't be logging this. Thanks for suggesting the change