From cd862c7cd75857a11b11a6c526bbb1ec8521212a Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Thu, 11 Jun 2026 20:21:41 +1000
Subject: [PATCH] Filter `code` params from logs (TOTP, backup, OAuth code,
 PKCE)

The TOTP and backup-code form field is named `code`, which was not covered by
the filter list, so live one-time codes landed in production logs. Adding :code
(partial match) also redacts the OAuth authorization `code` and PKCE
`code_verifier`/`code_challenge`.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 config/initializers/filter_parameter_logging.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
index b6451be..a96bf8d 100644
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -4,5 +4,8 @@
 # Use this to limit dissemination of sensitive information.
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
-  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc, :backup
+  :passw, :email, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn, :cvv, :cvc, :backup,
+  # :code partially matches the TOTP/backup `code` param, the OAuth authorization
+  # `code`, and the PKCE `code_verifier`/`code_challenge` — all sensitive in logs.
+  :code
 ]