Log JWT token validation details

[prashantkumar1982]

Summary

• Adds request-scoped debug logging for JWT validation failures so operators can inspect sanitized token context, parsed header and claims, and the validation error when auth fails.
• Threads the JSON-RPC request ID and method into token validation so diagnostic logs can be correlated with the failing request.
• Avoids logging replayable JWT material by recording only a short token prefix and a sanitized parsed token without raw token or signature fields.
• Adds regression coverage through the authorize path to verify sanitized token details, method, and request ID are emitted on validation failure.

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c65876abd4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve JWKS refresh cause on key lookup failure

When refreshJWKS fails (for example, Auth0 JWKS is temporarily unavailable), this branch now returns only ErrJWKSKeyNotFound and no longer logs refreshErr, so token validation failures become indistinguishable from a real missing kid. That regression removes the actionable root cause operators previously had, which directly undermines the new failure diagnostics for production incidents. Consider wrapping or logging refreshErr here so outages surface as JWKS fetch failures rather than generic key-not-found errors.

Useful? React with 👍 / 👎.

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[timothyF95]

Approved only to be deployed to STAGING for testing

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 830b777f23

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid logging full auth token for short inputs

safeTokenPrefix currently returns the entire token when its length is <= tokenLogPrefixLen, so any short Auth value (for example, a misrouted API key or short bearer token) is written verbatim in tokenValidationError logs. This code path runs for invalid tokens before verification, so with debug logging enabled an attacker/client can cause raw credential leakage to logs; the helper should always redact so complete token material is never emitted.

Useful? React with 👍 / 👎.

[prashantkumar1982]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 830b777f23

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid logging full unverified JWT claims

When debug logging is enabled, this path now emits token.Claims verbatim for every validation failure, including tokens that have not passed signature validation. Because req.Auth is client-controlled, an attacker can send oversized or sensitive claim payloads and force large claim blobs into logs, which creates a log-amplification/PII exposure risk that did not exist before this change. Consider redacting to a small allowlist (e.g., iss, aud, kid) or truncating claim values before logging.

Useful? React with 👍 / 👎.

[cl-sonarqube-production]

Quality Gate failed

Failed conditions
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube IDE