cleanups

Signed-off-by: Ryan Northey <ryan@synca.io>

docs/root/start/sandboxes/single-page-app.rst

@@ -52,10 +52,12 @@ to ``true``
 .. warning::
    Setting
    :ref:`forward_bearer_token <envoy_v3_api_field_extensions.filters.http.oauth2.v3.OAuth2Config.forward_bearer_token>`
-   means the provided access token will be forwarded to upstreams proxied by Envoy unless explicitly excluded.
+   means the provided access token will be forwarded to any cluster/upstreams proxied by Envoy for this HTTP filter chain..
 
-   This can be avoided by disabling the OAuth2 filter with
-   :ref:`per-route configuration <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.disabled>`.
+   If untrusted upstreams are present, care will need to be taken to remove any sensitive cookies, such as ``BearerToken``.
+
+   This can be achieved by setting :ref:`request_headers_to_remove <envoy_v3_api_field_config.route.v3.VirtualHost.request_headers_to_remove>`
+   for the affected route.
 
 A dummy "Myhub" backend is provided with a minimal OAuth provider and API for use in the example.
 

examples/single-page-app/myhub/api.py

@@ -17,6 +17,7 @@
 
 from shared import Data, debug_request, TokenStorage
 
+logger = logging.getLogger(__name__)
 MYHUB_URL = os.environ.get("MYHUB_URL") or "http://localhost:7000"
 
 # TODO: add to app
@@ -42,7 +43,6 @@ async def resources(request):
     resource_type = request.match_info["resource"]
     debug_request(request, resource_type)
     _data = Data(pathlib.Path(os.environ["DATA_PATH"]))
-    logger = logging.getLogger(__name__)
     access_token = request.cookies.get("BearerToken")
     allowed = (
         access_token