Skip to content

debug(meta-ads): add OAuth exchange logging for debugging #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JonasJesus42 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

debug(meta-ads): add OAuth exchange logging for debugging #67

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions meta-ads/server/main.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,14 @@ const runtime = withRuntime<Env>({
redirect_uri?: string;
redirectUri?: string;
}) => {
console.log("[Meta OAuth] exchangeCode called");
console.log("[Meta OAuth] oauthParams:", JSON.stringify(oauthParams));
Copy link

@cubic-dev-ai cubic-dev-ai bot Dec 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Logging OAuth parameters exposes sensitive credentials (authorization code and code_verifier) to logs. Even for debugging, avoid logging the full code and code_verifier values as they could be captured in log aggregation systems.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At meta-ads/server/main.ts, line 102:

<comment>Logging OAuth parameters exposes sensitive credentials (authorization code and code_verifier) to logs. Even for debugging, avoid logging the full `code` and `code_verifier` values as they could be captured in log aggregation systems.</comment>

<file context>
@@ -98,7 +98,14 @@ const runtime = withRuntime&lt;Env&gt;({
       redirectUri?: string;
     }) =&gt; {
+      console.log(&quot;[Meta OAuth] exchangeCode called&quot;);
+      console.log(&quot;[Meta OAuth] oauthParams:&quot;, JSON.stringify(oauthParams));
+
       const appSecret = getEnv(&quot;META_APP_SECRET&quot;);
</file context>
Suggested change
console.log("[Meta OAuth] oauthParams:", JSON.stringify(oauthParams));
console.log("[Meta OAuth] oauthParams:", JSON.stringify({
...oauthParams,
code: oauthParams.code ? "[REDACTED]" : undefined,
code_verifier: oauthParams.code_verifier ? "[REDACTED]" : undefined,
}));
Fix with Cubic


const appSecret = getEnv("META_APP_SECRET");
console.log(
"[Meta OAuth] META_APP_SECRET:",
appSecret ? "found" : "NOT FOUND",
);

if (!appSecret) {
throw new Error("META_APP_SECRET environment variable is required");
Expand All @@ -122,16 +129,26 @@ const runtime = withRuntime<Env>({
params.set("code_verifier", oauthParams.code_verifier);
}

const response = await fetch(
`https://graph.facebook.com/${META_API_VERSION}/oauth/access_token?${params.toString()}`,
{ method: "GET" },
const tokenUrl = `https://graph.facebook.com/${META_API_VERSION}/oauth/access_token?${params.toString()}`;
console.log(
"[Meta OAuth] Token URL (without secret):",
Copy link

@cubic-dev-ai cubic-dev-ai bot Dec 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Token URL redaction is incomplete - only appSecret is replaced, but the URL also contains the sensitive authorization code and code_verifier in query params. The comment "without secret" is misleading.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At meta-ads/server/main.ts, line 134:

<comment>Token URL redaction is incomplete - only `appSecret` is replaced, but the URL also contains the sensitive authorization `code` and `code_verifier` in query params. The comment &quot;without secret&quot; is misleading.</comment>

<file context>
@@ -122,16 +129,26 @@ const runtime = withRuntime&lt;Env&gt;({
-        { method: &quot;GET&quot; },
+      const tokenUrl = `https://graph.facebook.com/${META_API_VERSION}/oauth/access_token?${params.toString()}`;
+      console.log(
+        &quot;[Meta OAuth] Token URL (without secret):&quot;,
+        tokenUrl.replace(appSecret, &quot;***&quot;),
       );
</file context>
Fix with Cubic

tokenUrl.replace(appSecret, "***"),
);

const response = await fetch(tokenUrl, { method: "GET" });

if (!response.ok) {
const error = await response.text();
console.error(
"[Meta OAuth] Token exchange failed:",
response.status,
error,
);
throw new Error(`Meta OAuth failed: ${response.status} - ${error}`);
}

console.log("[Meta OAuth] Token exchange successful!");

const data = (await response.json()) as {
access_token: string;
token_type: string;
Expand Down
Loading