From c15dad6040b48dc5bfdfcb598adb841bcd43a309 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Fri, 1 Aug 2025 12:58:03 -0400
Subject: [PATCH] improve AuthToken display in P2P --debug

Using an empty string to obscure the AuthToken made it impossible to
tell if one was really being presented or not.
---
 P2P/IO.hs            | 2 +-
 Utility/AuthToken.hs | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/P2P/IO.hs b/P2P/IO.hs
index 956c4192c8..83d0839a7a 100644
--- a/P2P/IO.hs
+++ b/P2P/IO.hs
@@ -349,7 +349,7 @@ debugMessage conn prefix m = do
 		]
   where
 	safem = case m of
-		AUTH u _ -> AUTH u nullAuthToken
+		AUTH u _ -> AUTH u displayAuthToken
 		_ -> m
 	ConnIdent mident = connIdent conn
 
diff --git a/Utility/AuthToken.hs b/Utility/AuthToken.hs
index 116e361bbe..0e3506c37c 100644
--- a/Utility/AuthToken.hs
+++ b/Utility/AuthToken.hs
@@ -1,6 +1,6 @@
 {- authentication tokens
  -
- - Copyright 2016 Joey Hess <id@joeyh.name>
+ - Copyright 2016-2025 Joey Hess <id@joeyh.name>
  -
  - License: BSD-2-clause
  -}
@@ -12,6 +12,7 @@ module Utility.AuthToken (
 	toAuthToken,
 	fromAuthToken,
 	nullAuthToken,
+	displayAuthToken,
 	genAuthToken,
 	AllowedAuthTokens,
 	allowedAuthTokens,
@@ -69,6 +70,10 @@ toAuthToken t
 nullAuthToken :: AuthToken
 nullAuthToken = AuthToken $ secureMemFromByteString $ TE.encodeUtf8 T.empty
 
+-- | Display in place of a real AuthToken in protocol dumps.
+displayAuthToken :: AuthToken
+displayAuthToken = AuthToken $ secureMemFromByteString $ TE.encodeUtf8 $ T.pack "<AUTHTOKEN>"
+
 -- | Generates an AuthToken of a specified length. This is done by
 -- generating a random bytestring, hashing it with sha2 512, and truncating
 -- to the specified length.