Potential fix for code scanning alert no. 23: Clear-text logging of sensitive information

[TriForMine]

Potential fix for https://github.com/TriForMine/nexis/security/code-scanning/23

In general, to fix clear-text logging issues, remove sensitive values from logs or replace them with generic messages that do not reveal secrets or detailed security configuration. If logs must indicate that something is misconfigured, they should do so without including actual secret-derived content or specific security parameters, or they should only include an internal error code.

For this particular case, the only tainted value is minLength derived from context.password.config.minPasswordLength. We can keep the behavior (skipping admin bootstrap when the admin password is too short) while changing the log message so it no longer embeds the specific numeric minimum. A simple way is to log that the password is shorter than the required minimum without specifying the exact number. That removes the tainted minLength from the log while preserving functionality. The comparison using minLength is still performed, but the value is no longer inserted into the string.

Concretely, in dashboard/control-api/src/better_auth.ts, update the console.warn call around line 138–140 to remove the (${minLength}) interpolation and any wording that reveals the exact minimum. No new imports or helpers are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Chores
  • Updated admin password validation warning message to reference password policy instead of specific length requirements.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e333ff6 and b3c8a30.

📒 Files selected for processing (1)

• dashboard/control-api/src/better_auth.ts

---

📝 Walkthrough

Walkthrough

Updated the warning message for short admin passwords in the authentication module from citing specific minimum length requirements to referencing password policy instead. No functional behavior changes; only warning text modified.

Changes

Cohort / File(s)	Summary
Authentication Warning Message dashboard/control-api/src/better_auth.ts	Updated admin password validation warning to reference password policy instead of specific minimum length requirement.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A message refined, so simple and neat,
Policy guidance now makes validation complete,
No code paths were harmed, just warnings we'd say,
Hopping through auth checks, the safe, steady way! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: addressing a code scanning alert about clear-text logging of sensitive information, which aligns with the removal of the minimum length value from the logged warning message.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alert-autofix-23

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

k6 Performance Comparison

Metric	Base	PR	Delta (PR-Base)	Status
handshake p95	44.00 ms	44.00 ms	0.00	BETTER_OR_EQUAL
handshake p99	44.51 ms	45.02 ms	+0.51	REGRESSION
join p95	15.00 ms	37.80 ms	+22.80	REGRESSION
join p99	34.36 ms	56.53 ms	+22.17	REGRESSION
room.message(inc) RTT p95	47.00 ms	48.00 ms	+1.00	REGRESSION
room.message(inc) RTT p99	48.00 ms	49.00 ms	+1.00	REGRESSION
state.patch rate	784.15/s	692.73/s	-91.42	REGRESSION
ws errors	0	0	0.00	BETTER_OR_EQUAL

Gate (PR fail criteria)

Metric	Rule	Base	PR	Gate
room.message(inc) RTT p95	PR <= Base * 1.15	47.00 ms	48.00 ms	PASS
room.message(inc) RTT p99	PR <= Base * 1.15	48.00 ms	49.00 ms	PASS
ws errors	PR <= Base + 0	0	0	PASS

Regressions detected: 6
Gate failures: 0

Config source: infra/load/k6-ws.js with CI env VUS=50 DURATION=20s ROOM_SHARDS=10 INC_INTERVAL_MS=250.