Customer noticed their magic-link was visible in the error page — Sentry token redaction gap (PR #657 IX F4)
Andrej (40) runs Gostilna Treh Mostov 32-cover traditional Slovenian restaurant in Ljubljana old town under Cobblers Bridge. 6 months on thMenu loyalty with magic-link auth for mid-40s+ regulars. Monday email from regular Petra: "I clicked my magic-link, got an error, the URL with my token was visible, and the page said the error was reported to thMenu monitoring — is this safe? Could anyone with access log into my account?" Andrej forwarded to support. Forensic: Sentry dashboard 30-day errors for /api/customer/magic-link/verify ~8,400 reports. Each context: request.url with full token in plain text. 8,400 tokens visible. Most expired (24h TTL passed) but recently-failed ones within ~30min windows could still be valid — Sentry-access malicious actor (dev, contractor, Sentry breach) could redeem during the window for account takeover. Low-probability + high-impact defense-in-depth gap. Other Sentry context inspected: breadcrumbs (navigation URLs with tokens), Referer header on some requests, stack-trace strings if URL is concatenated. Sentry default auto-redact covers credit-card and SSN regexes; custom credential patterns like magic-link tokens were not configured. **PR #657 batch IX F4** two-layer fix: (1) Sentry beforeSend hook event mutation — regex `/([?&])(token|magic_link_token|otp|verify_token|session_token|api_key|signature|secret)=[a-zA-Z0-9_-]+/gi` redacts URL query params. (2) Breadcrumbs mapped through the same redaction. URL arrives at Sentry as [REDACTED]; token never leaves the browser. 4 SDK setups (web-menu, web-admin, web-affiliate, web-superadmin) shipped in parallel. Historical 8,400 entries scrubbed via Sentry event-scrubbing API. Andrej passed support s response to Petra: "Your concern was correct. Tokens no longer reach Sentry. The 24h TTL in your inbox is still the security perimeter; our error reporting no longer leaks around it." Synaltix gave Andrej a 6-month Pro upgrade extension. Pattern: sensitive credentials (magic-link, OTP, password-reset, session token, API key, OAuth bearer, JWT) must NEVER reach error logging (Sentry, Cloudflare Logpush, CloudWatch, Datadog, Logtail) in ANY environment. Redaction at every layer: URL + headers + breadcrumbs + stack trace + custom data fields.