fix(socialaccount): Don't return access token in __str__

pennersr · Jul 10, 2024 · 663c7df · 663c7df
1 parent aa33e2f
commit 663c7df
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,7 +1,14 @@
 0.63.4 (unreleased)
 *******************
 
-- ...
+Security notice
+---------------
+
+- The ``__str__()`` method of the ``SocialToken`` model returned the access
+  token. As a consequence, logging or printing tokens otherwise would expose the
+  access token. Now, the method no longer returns the token. If you want to
+  log/print tokens, you will now have to explicitly log the ``token`` field of
+  the ``SocialToken`` instance.
 
 
 0.63.3 (2024-05-31)

diff --git a/allauth/socialaccount/models.py b/allauth/socialaccount/models.py
@@ -175,7 +175,7 @@ class Meta:
         verbose_name_plural = _("social application tokens")
 
     def __str__(self):
-        return self.token
+        return "%s (%s)" % (self._meta.verbose_name, self.pk)
 
 
 class SocialLogin(object):