Security: REDCap API token is exposed in assertion error message #315
Description
Security: REDCap API token is exposed in assertion error message
Hi — thanks for maintaining PyCap.
I noticed a potential security issue in the token validation logic that can cause REDCap API tokens to be printed in plain text when validation fails.
In _validate_url_and_token (in redcap/methods/base.py), the token is interpolated directly into an AssertionError message:
assert actual_token_len == expected_token_len, (
f"Incorrect token format '{token}', token must be",
f"{expected_token_len} characters long",
)If the token is malformed (e.g., wrong length, trailing newline), this assertion prints the full token to stdout/logs. This can leak secrets into CI logs, terminals, or shared debugging output.
Even though this only occurs on error paths, the token may still be mostly or entirely valid, and error logs are a common source of credential leakage.
Suggested fix
Avoid interpolating secrets into exception messages. Replace assert with an explicit exception (e.g., ValueError) and use a generic message, for example:
if len(token) != 32:
raise ValueError("Invalid REDCap token format (expected 32 characters)")Thanks for your work on the project.