Sanitized token for login audit logs (#12031)

UgnineSirdis · web-flow · commit 9b2bdb08de3d · 2024-11-28T11:13:52.000+02:00
diff --git a/ydb/core/grpc_services/audit_logins.cpp b/ydb/core/grpc_services/audit_logins.cpp
@@ -11,7 +11,7 @@
 namespace NKikimr {
 namespace NGRpcService {
 
-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails)
+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken)
 {
     static const TString GrpcLoginComponentName = "grpc-login";
     static const TString LoginOperationName = "LOGIN";
@@ -49,11 +49,11 @@ void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::Log
 
         // Login
         AUDIT_PART("login_user", (!request.user().empty() ? request.user() : EmptyValue))
+        AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))
 
         //TODO: (?) it is possible to show masked version of the resulting token here
     );
 }
 
 }
 }
-
diff --git a/ydb/core/grpc_services/audit_logins.h b/ydb/core/grpc_services/audit_logins.h
@@ -13,6 +13,6 @@ namespace NKikimr::NGRpcService {
 class IAuditCtx;
 
 // logins log
-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails);
+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken);
 
 } // namespace NKikimr::NGRpcService
diff --git a/ydb/core/grpc_services/rpc_login.cpp b/ydb/core/grpc_services/rpc_login.cpp
@@ -88,7 +88,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             ReplyErrorAndPassAway(Ydb::StatusIds::INTERNAL_ERROR, "Failed to produce a token");
         } else {
             // success = token + no errors
-            ReplyAndPassAway(loginResult.token());
+            ReplyAndPassAway(loginResult.GetToken(), loginResult.GetSanitizedToken());
         }
     }
 
@@ -113,7 +113,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
         }
     }
 
-    void ReplyAndPassAway(const TString& resultToken) {
+    void ReplyAndPassAway(const TString& resultToken, const TString& sanitizedToken) {
         TResponse response;
 
         Ydb::Operations::Operation& operation = *response.mutable_operation();
@@ -126,7 +126,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             operation.mutable_result()->PackFrom(result);
         }
 
-        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, /* errorDetails */ TString());
+        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, /* errorDetails */ TString(), sanitizedToken);
 
         return CleanupAndReply(response);
     }
@@ -143,7 +143,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {
             issue->set_message(error);
         }
 
-        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, reason);
+        AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, reason, {});
 
         return CleanupAndReply(response);
     }
diff --git a/ydb/core/protos/flat_tx_scheme.proto b/ydb/core/protos/flat_tx_scheme.proto
@@ -153,6 +153,7 @@ message TEvLogin {
 message TEvLoginResult {
     optional string Error = 1;
     optional string Token = 2;  // signed jwt token
+    optional string SanitizedToken = 3;  // sanitized token without signature
 }
 
 // Sending actor registers itself to be notified when tx completes
diff --git a/ydb/core/security/ticket_parser_impl.h b/ydb/core/security/ticket_parser_impl.h
@@ -272,6 +272,9 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
             if (TokenType == TDerived::ETokenType::NebiusAccessService) {
                 return SanitizeNebiusTicket(Ticket);
             }
+            if (TokenType == TDerived::ETokenType::Login) {
+                return NLogin::TLoginProvider::SanitizeJwtToken(Ticket);
+            }
             return MaskTicket(Ticket);
         }
     };
diff --git a/ydb/core/tx/schemeshard/schemeshard__login.cpp b/ydb/core/tx/schemeshard/schemeshard__login.cpp
@@ -83,6 +83,7 @@ struct TSchemeShard::TTxLogin : TSchemeShard::TRwTxBase {
             }
             if (loginResponse.Token) {
                 result->Record.SetToken(loginResponse.Token);
+                result->Record.SetSanitizedToken(loginResponse.SanitizedToken);
             }
 
         } else {
diff --git a/ydb/core/tx/schemeshard/ut_login/ut_login.cpp b/ydb/core/tx/schemeshard/ut_login/ut_login.cpp
@@ -157,6 +157,8 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "status=SUCCESS");
         UNIT_ASSERT(!last.contains("reason"));
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1");
+        UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");
+        UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);
     }
 
     Y_UNIT_TEST(AuditLogLoginBadPassword) {
@@ -198,6 +200,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "status=ERROR");
         UNIT_ASSERT_STRING_CONTAINS(last, "reason=Invalid password");
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1");
+        UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");
     }
 
     Y_UNIT_TEST(AuditLogLdapLoginSuccess) {
@@ -292,6 +295,8 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT(!last.contains("detailed_status"));
         UNIT_ASSERT(!last.contains("reason"));
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1@ldap");
+        UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");
+        UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);
     }
 
     Y_UNIT_TEST(AuditLogLdapLoginBadPassword) {
@@ -386,6 +391,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "detailed_status=UNAUTHORIZED");
         UNIT_ASSERT_STRING_CONTAINS(last, "reason=Could not login via LDAP: LDAP login failed for user uid=user1,dc=search,dc=yandex,dc=net on server ldap://localhost:");
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1@ldap");
+        UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");
     }
 
     Y_UNIT_TEST(AuditLogLdapLoginBadUser) {
@@ -480,6 +486,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "detailed_status=UNAUTHORIZED");
         UNIT_ASSERT_STRING_CONTAINS(last, "reason=Could not login via LDAP: LDAP user bad_user does not exist. LDAP search for filter uid=bad_user on server ldap://localhost:");
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=bad_user@ldap");
+        UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");
     }
 
     // LDAP responses to bad BindDn or bad BindPassword are the same, so this test covers the both cases.
@@ -575,6 +582,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
         UNIT_ASSERT_STRING_CONTAINS(last, "detailed_status=UNAUTHORIZED");
         UNIT_ASSERT_STRING_CONTAINS(last, "reason=Could not login via LDAP: Could not perform initial LDAP bind for dn cn=robouser,dc=search,dc=yandex,dc=net on server ldap://localhost:");
         UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1@ldap");
+        UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");
     }
 
     Y_UNIT_TEST(AuditLogLogout) {
@@ -677,6 +685,8 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {
             UNIT_ASSERT_STRING_CONTAINS(last, "subject=user1");
             UNIT_ASSERT_STRING_CONTAINS(last, "operation=LOGOUT");
             UNIT_ASSERT_STRING_CONTAINS(last, "status=SUCCESS");
+            UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");
+            UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);
         }
     }
 }
diff --git a/ydb/library/login/login.cpp b/ydb/library/login/login.cpp
@@ -352,6 +352,7 @@ TLoginProvider::TLoginUserResponse TLoginProvider::LoginUser(const TLoginUserReq
     auto encoded_token = token.sign(algorithm);
 
     response.Token = TString(encoded_token);
+    response.SanitizedToken = SanitizeJwtToken(response.Token);
 
     return response;
 }
@@ -650,4 +651,12 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat
     }
 }
 
+TString TLoginProvider::SanitizeJwtToken(const TString& token) {
+    const size_t signaturePos = token.find_last_of('.');
+    if (signaturePos == TString::npos || signaturePos == token.size() - 1) {
+        return {};
+    }
+    return TStringBuilder() << TStringBuf(token).SubString(0, signaturePos) << ".**"; // <token>.**
+}
+
 }
diff --git a/ydb/library/login/login.h b/ydb/library/login/login.h
@@ -48,6 +48,7 @@ class TLoginProvider {
 
     struct TLoginUserResponse : TBasicResponse {
         TString Token;
+        TString SanitizedToken; // Token for audit logs
     };
 
     struct TValidateTokenRequest : TBasicRequest {
@@ -178,6 +179,7 @@ class TLoginProvider {
     std::vector<TString> GetGroupsMembership(const TString& member);
     static TString GetTokenAudience(const TString& token);
     static std::chrono::system_clock::time_point GetTokenExpiresAt(const TString& token);
+    static TString SanitizeJwtToken(const TString& token);
 
 private:
     std::deque<TKeyRecord>::iterator FindKeyIterator(ui64 keyId);
diff --git a/ydb/library/login/login_ut.cpp b/ydb/library/login/login_ut.cpp
@@ -283,4 +283,11 @@ Y_UNIT_TEST_SUITE(Login) {
             UNIT_ASSERT(response3.ExternalAuth.empty());
         }
     }
+
+    Y_UNIT_TEST(SanitizeJwtToken) {
+        UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("123.456"), "123.**");
+        UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("123.456.789"), "123.456.**");
+        UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_dot"), "");
+        UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_signature."), "");
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`namespace NKikimr {`
`12`	`12`	`namespace NGRpcService {`
`13`	`13`
`14`		`-void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails)`
	`14`	`+void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::LoginRequest& request, const Ydb::Auth::LoginResponse& response, const TString& errorDetails, const TString& sanitizedToken)`
`15`	`15`	`{`
`16`	`16`	`static const TString GrpcLoginComponentName = "grpc-login";`
`17`	`17`	`static const TString LoginOperationName = "LOGIN";`
`@@ -49,11 +49,11 @@ void AuditLogLogin(IAuditCtx* ctx, const TString& database, const Ydb::Auth::Log`
`49`	`49`
`50`	`50`	`// Login`
`51`	`51`	`AUDIT_PART("login_user", (!request.user().empty() ? request.user() : EmptyValue))`
	`52`	`+ AUDIT_PART("sanitized_token", (!sanitizedToken.empty() ? sanitizedToken : EmptyValue))`
`52`	`53`
`53`	`54`	`//TODO: (?) it is possible to show masked version of the resulting token here`
`54`	`55`	`);`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`}`
`58`	`59`	`}`
`59`		`-`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`88`	`88`	`ReplyErrorAndPassAway(Ydb::StatusIds::INTERNAL_ERROR, "Failed to produce a token");`
`89`	`89`	`} else {`
`90`	`90`	`// success = token + no errors`
`91`		`- ReplyAndPassAway(loginResult.token());`
	`91`	`+ ReplyAndPassAway(loginResult.GetToken(), loginResult.GetSanitizedToken());`
`92`	`92`	`}`
`93`	`93`	`}`
`94`	`94`
`@@ -113,7 +113,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`113`	`113`	`}`
`114`	`114`	`}`
`115`	`115`
`116`		`- void ReplyAndPassAway(const TString& resultToken) {`
	`116`	`+ void ReplyAndPassAway(const TString& resultToken, const TString& sanitizedToken) {`
`117`	`117`	`TResponse response;`
`118`	`118`
`119`	`119`	`Ydb::Operations::Operation& operation = *response.mutable_operation();`
`@@ -126,7 +126,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`126`	`126`	`operation.mutable_result()->PackFrom(result);`
`127`	`127`	`}`
`128`	`128`
`129`		`- AuditLogLogin(Request.Get(), PathToDatabase, GetProtoRequest(), response, / errorDetails */ TString());`
	`129`	`+ AuditLogLogin(Request.Get(), PathToDatabase, GetProtoRequest(), response, / errorDetails */ TString(), sanitizedToken);`
`130`	`130`
`131`	`131`	`return CleanupAndReply(response);`
`132`	`132`	`}`
`@@ -143,7 +143,7 @@ class TLoginRPC : public TRpcRequestActor<TLoginRPC, TEvLoginRequest, true> {`
`143`	`143`	`issue->set_message(error);`
`144`	`144`	`}`
`145`	`145`
`146`		`- AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, reason);`
	`146`	`+ AuditLogLogin(Request.Get(), PathToDatabase, *GetProtoRequest(), response, reason, {});`
`147`	`147`
`148`	`148`	`return CleanupAndReply(response);`
`149`	`149`	`}`
Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,7 @@ message TEvLogin {`
`153`	`153`	`message TEvLoginResult {`
`154`	`154`	`optional string Error = 1;`
`155`	`155`	`optional string Token = 2; // signed jwt token`
	`156`	`+ optional string SanitizedToken = 3; // sanitized token without signature`
`156`	`157`	`}`
`157`	`158`
`158`	`159`	`// Sending actor registers itself to be notified when tx completes`
Original file line number	Diff line number	Diff line change
`@@ -272,6 +272,9 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {`
`272`	`272`	`if (TokenType == TDerived::ETokenType::NebiusAccessService) {`
`273`	`273`	`return SanitizeNebiusTicket(Ticket);`
`274`	`274`	`}`
	`275`	`+ if (TokenType == TDerived::ETokenType::Login) {`
	`276`	`+ return NLogin::TLoginProvider::SanitizeJwtToken(Ticket);`
	`277`	`+ }`
`275`	`278`	`return MaskTicket(Ticket);`
`276`	`279`	`}`
`277`	`280`	`};`
Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,7 @@ struct TSchemeShard::TTxLogin : TSchemeShard::TRwTxBase {`
`83`	`83`	`}`
`84`	`84`	`if (loginResponse.Token) {`
`85`	`85`	`result->Record.SetToken(loginResponse.Token);`
	`86`	`+ result->Record.SetSanitizedToken(loginResponse.SanitizedToken);`
`86`	`87`	`}`
`87`	`88`
`88`	`89`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,8 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`157`	`157`	`UNIT_ASSERT_STRING_CONTAINS(last, "status=SUCCESS");`
`158`	`158`	`UNIT_ASSERT(!last.contains("reason"));`
`159`	`159`	`UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1");`
	`160`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");`
	`161`	`+ UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);`
`160`	`162`	`}`
`161`	`163`
`162`	`164`	`Y_UNIT_TEST(AuditLogLoginBadPassword) {`
`@@ -198,6 +200,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`198`	`200`	`UNIT_ASSERT_STRING_CONTAINS(last, "status=ERROR");`
`199`	`201`	`UNIT_ASSERT_STRING_CONTAINS(last, "reason=Invalid password");`
`200`	`202`	`UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1");`
	`203`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");`
`201`	`204`	`}`
`202`	`205`
`203`	`206`	`Y_UNIT_TEST(AuditLogLdapLoginSuccess) {`
`@@ -292,6 +295,8 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`292`	`295`	`UNIT_ASSERT(!last.contains("detailed_status"));`
`293`	`296`	`UNIT_ASSERT(!last.contains("reason"));`
`294`	`297`	`UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1@ldap");`
	`298`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");`
	`299`	`+ UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);`
`295`	`300`	`}`
`296`	`301`
`297`	`302`	`Y_UNIT_TEST(AuditLogLdapLoginBadPassword) {`
`@@ -386,6 +391,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`386`	`391`	`UNIT_ASSERT_STRING_CONTAINS(last, "detailed_status=UNAUTHORIZED");`
`387`	`392`	`UNIT_ASSERT_STRING_CONTAINS(last, "reason=Could not login via LDAP: LDAP login failed for user uid=user1,dc=search,dc=yandex,dc=net on server ldap://localhost:");`
`388`	`393`	`UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1@ldap");`
	`394`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");`
`389`	`395`	`}`
`390`	`396`
`391`	`397`	`Y_UNIT_TEST(AuditLogLdapLoginBadUser) {`
`@@ -480,6 +486,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`480`	`486`	`UNIT_ASSERT_STRING_CONTAINS(last, "detailed_status=UNAUTHORIZED");`
`481`	`487`	`UNIT_ASSERT_STRING_CONTAINS(last, "reason=Could not login via LDAP: LDAP user bad_user does not exist. LDAP search for filter uid=bad_user on server ldap://localhost:");`
`482`	`488`	`UNIT_ASSERT_STRING_CONTAINS(last, "login_user=bad_user@ldap");`
	`489`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");`
`483`	`490`	`}`
`484`	`491`
`485`	`492`	`// LDAP responses to bad BindDn or bad BindPassword are the same, so this test covers the both cases.`
`@@ -575,6 +582,7 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`575`	`582`	`UNIT_ASSERT_STRING_CONTAINS(last, "detailed_status=UNAUTHORIZED");`
`576`	`583`	`UNIT_ASSERT_STRING_CONTAINS(last, "reason=Could not login via LDAP: Could not perform initial LDAP bind for dn cn=robouser,dc=search,dc=yandex,dc=net on server ldap://localhost:");`
`577`	`584`	`UNIT_ASSERT_STRING_CONTAINS(last, "login_user=user1@ldap");`
	`585`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token={none}");`
`578`	`586`	`}`
`579`	`587`
`580`	`588`	`Y_UNIT_TEST(AuditLogLogout) {`
`@@ -677,6 +685,8 @@ Y_UNIT_TEST_SUITE(TWebLoginService) {`
`677`	`685`	`UNIT_ASSERT_STRING_CONTAINS(last, "subject=user1");`
`678`	`686`	`UNIT_ASSERT_STRING_CONTAINS(last, "operation=LOGOUT");`
`679`	`687`	`UNIT_ASSERT_STRING_CONTAINS(last, "status=SUCCESS");`
	`688`	`+ UNIT_ASSERT_STRING_CONTAINS(last, "sanitized_token=");`
	`689`	`+ UNIT_ASSERT(last.find("sanitized_token={none}") == std::string::npos);`
`680`	`690`	`}`
`681`	`691`	`}`
`682`	`692`	`}`
Original file line number	Diff line number	Diff line change
`@@ -352,6 +352,7 @@ TLoginProvider::TLoginUserResponse TLoginProvider::LoginUser(const TLoginUserReq`
`352`	`352`	`auto encoded_token = token.sign(algorithm);`
`353`	`353`
`354`	`354`	`response.Token = TString(encoded_token);`
	`355`	`+ response.SanitizedToken = SanitizeJwtToken(response.Token);`
`355`	`356`
`356`	`357`	`return response;`
`357`	`358`	`}`
`@@ -650,4 +651,12 @@ void TLoginProvider::UpdateSecurityState(const NLoginProto::TSecurityState& stat`
`650`	`651`	`}`
`651`	`652`	`}`
`652`	`653`
	`654`	`+TString TLoginProvider::SanitizeJwtToken(const TString& token) {`
	`655`	`+ const size_t signaturePos = token.find_last_of('.');`
	`656`	`+ if (signaturePos == TString::npos \|\| signaturePos == token.size() - 1) {`
	`657`	`+ return {};`
	`658`	`+ }`
	`659`	`+ return TStringBuilder() << TStringBuf(token).SubString(0, signaturePos) << "."; // <token>.`
	`660`	`+}`
	`661`	`+`
`653`	`662`	`}`
Original file line number	Diff line number	Diff line change
`@@ -283,4 +283,11 @@ Y_UNIT_TEST_SUITE(Login) {`
`283`	`283`	`UNIT_ASSERT(response3.ExternalAuth.empty());`
`284`	`284`	`}`
`285`	`285`	`}`
	`286`	`+`
	`287`	`+ Y_UNIT_TEST(SanitizeJwtToken) {`
	`288`	`+ UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("123.456"), "123.**");`
	`289`	`+ UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("123.456.789"), "123.456.**");`
	`290`	`+ UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_dot"), "");`
	`291`	`+ UNIT_ASSERT_VALUES_EQUAL(TLoginProvider::SanitizeJwtToken("token_without_signature."), "");`
	`292`	`+ }`
`286`	`293`	`}`