From d2926c452aeb57122d625d4286420a4b3b75a6ae Mon Sep 17 00:00:00 2001
From: alma <alma@governance-labs.org>
Date: Fri, 16 Jan 2026 22:42:51 +0100
Subject: [PATCH]  Fondation

---
 app/api/auth/options.ts                 | 8 ++++----
 app/api/courrier/unread-counts/route.ts | 3 +--
 app/api/users/route.ts                  | 4 ++--
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/app/api/auth/options.ts b/app/api/auth/options.ts
index 5c84cf6..e03ea83 100644
--- a/app/api/auth/options.ts
+++ b/app/api/auth/options.ts
@@ -192,6 +192,7 @@ async function refreshAccessToken(token: ExtendedJWT) {
 }
 
 export const authOptions: NextAuthOptions = {
+  debug: false, // Désactive les logs NextAuth en mode debug pour la sécurité
   providers: [
     KeycloakProvider({
       clientId: getRequiredEnvVar("KEYCLOAK_CLIENT_ID"),
@@ -358,7 +359,7 @@ export const authOptions: NextAuthOptions = {
         // If we recently failed, return error immediately (cooldown active)
         if (timeSinceFailure < REFRESH_COOLDOWN_MS) {
           logger.debug('Refresh cooldown active, skipping refresh attempt', {
-            userId,
+            userIdHash: Buffer.from(userId).toString('base64').slice(0, 12),
             timeSinceFailure,
             cooldownRemaining: REFRESH_COOLDOWN_MS - timeSinceFailure,
           });
@@ -431,7 +432,7 @@ export const authOptions: NextAuthOptions = {
         cleanupRefreshCooldown(); // Prevent memory leak
         
         logger.info("Keycloak session invalidated, setting cooldown", { 
-          userId,
+          userIdHash: Buffer.from(userId).toString('base64').slice(0, 12),
           cooldownMs: REFRESH_COOLDOWN_MS,
         });
         
@@ -550,12 +551,11 @@ export const authOptions: NextAuthOptions = {
     signIn: '/signin',
     error: '/signin',
   },
-  debug: process.env.NODE_ENV === 'development',
   // Add error handling events
   events: {
     async signIn({ user, account, profile }) {
       logger.info('[NEXTAUTH] Sign-in event', {
-        userId: user?.id,
+        userIdHash: user?.id ? Buffer.from(user.id).toString('base64').slice(0, 12) : null,
         emailPresent: !!user?.email,
         provider: account?.provider,
       });
diff --git a/app/api/courrier/unread-counts/route.ts b/app/api/courrier/unread-counts/route.ts
index 0199ba2..37ba74b 100644
--- a/app/api/courrier/unread-counts/route.ts
+++ b/app/api/courrier/unread-counts/route.ts
@@ -220,8 +220,7 @@ async function fetchUnreadCounts(userId: string): Promise<Record<string, Record<
             unreadCounts[accountId][`${accountId}:${folder}`] = status.unseen;
             
             logger.debug('[UNREAD_API] Account folder unread count', {
-              accountId,
-              folder,
+              accountIdHash: Buffer.from(accountId).toString('base64').slice(0, 12),
               unseen: status.unseen
             });
           }
diff --git a/app/api/users/route.ts b/app/api/users/route.ts
index 2c2d81b..d35d6ea 100644
--- a/app/api/users/route.ts
+++ b/app/api/users/route.ts
@@ -13,8 +13,8 @@ export async function GET() {
 
   logger.debug('[USERS] Session info', {
     hasAccessToken: !!session.accessToken,
-    userId: session.user.id,
-    email: session.user.email,
+    userIdHash: Buffer.from(session.user.id).toString('base64').slice(0, 12),
+    emailHash: session.user.email ? Buffer.from(session.user.email.toLowerCase()).toString('base64').slice(0, 12) : null,
   });
 
   try {