Summary
There is no automated regression test proving that ?token= is removed from request logs and access-log formatting continues to mask token values. Since the query-token fallback is a key compatibility feature, it deserves a direct check.
Reproduction
- Run the server with access logging enabled.
- Send requests using
?token=.
- Inspect logs manually.
- There is currently no automated check guarding this behavior.
Expected
A focused test should assert that token values do not appear in access logs and that the middleware strips the query string before logging.
Actual
This remains a manual assumption.
Summary
There is no automated regression test proving that
?token=is removed from request logs and access-log formatting continues to mask token values. Since the query-token fallback is a key compatibility feature, it deserves a direct check.Reproduction
?token=.Expected
A focused test should assert that token values do not appear in access logs and that the middleware strips the query string before logging.
Actual
This remains a manual assumption.