You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Security
OTP codes and password-reset tokens no longer leak into the logs. The
built-in mailers (PasswordlessMailer, PasswordResetMailer) pass the OTP
code / reset URL as mailer params, which deliver_later serializes as the
delivery job's arguments — and ActiveJob's log subscriber prints job arguments
in plaintext on enqueue/perform (e.g. params: {email:…, otp_code: "03158369"}).
StandardId's mailers now deliver via StandardId::SecureMailDeliveryJob
(ActionMailer::MailDeliveryJob with log_arguments = false), so the
arguments are kept out of the log stream. Delivery behaviour is unchanged.